[Commons-l] GIFAR vulnerability and commons

[Jeremy Baron]

AIUI, a GIFAR hosted on upload.wikimedia.org marked as a gif file can  
do anything with cookies that a standard applet could if hosted on  
upload.wikimedia.org.  (if jar were a permitted file type)  That  
*should* be limited to reading (and writing?) cookies for  
upload.wikimedia.org and .wikimedia.org neither of which have  
valuable cookies.

Not storing anything valuable under .wikimedia.org is why you have to  
go through [[special:userlogin]] manually for wikispecies and other  
smallish wikimedia.org subdomain wikis and you need to load a  
seperate image on [[special:userlogin]] for each of the larger  
wikimedia.org subdomains that you want to work automatically but  
Wikipedias and other projects with their own second level domain have  
SUL for all languages just by loading a single  
image; .wikipedia.org, .wikibooks.org, etc. do have valuable cookies.

--Jeremy

[[w:en:user:jeremyb]] (globally with SUL)

On Aug 11, 2008, at 6:41 PM, Daniel Schwen wrote:
>> Please no scare mongering. Wikimedia sites are not vulnerable to  
>> this.
> Yeah, sorry, but you know what they say about paranoid admins...
>
>> What I wasn't able to reproduce is a file which both passed the  
>> upload
>> validation and which was executed by the Sun JRE... though I didn't
> Well, that part works:
> http://commons.wikimedia.org/wiki/Image:Gifar.gif
> and test page at
> http://toolserver.org/~dschwen/test.html
>
>> try hard once I realize that the use of a different domain for
>> uploading provided strong protection. It might well be that the  
>> upload
> That is true. So there is no way to get to cookies at all? There  
> are the
> wikipedia.org centralauth_Token and centralauth_User
>
> would an applet not be able to read those in a browser that supports
> LiveConnect?
>
> What the applet then would do with the cookies is another story.
> -- 
> [[en:User:Dschwen]]
> [[de:Benutzer:Dschwen]]
> [[commons:User:Dschwen]]