FINDING ID: iSEC-WMF1214-14
TARGETS: The upload feature, available at http://devwiki/wiki/Special:Upload .
Testing indicated that this feature only works in Adobe Reader, whereas other readers such as the PDF
from the wiki domain.
EXPLOIT SCENARIO: An attacker wishes to determine who reads a specific wiki article. The attacker
using an existing PDF document related to the article as a base. A user interested in the topic opens
the PDF for more information while reading the article and their PDF reader sends a request to the
attacker, revealing their IP address, and by extension, their location.
SHORT TERM SOLUTION: Provide a click-through warning informing users that PDF documents are
active content that could potentially de-anonymize them when viewed directly.
LONG TERM SOLUTION: Convert uploaded PDFs to static images to avoid issues with active content.
Ensure the library used for conversion is robust as it will be parsing potentially malicious content on
the server side, which could be a greater compromise than individual users. Consider setting up a