[Clipart] Hacking attempt?

momo momo at lumenstudio.net
Thu Dec 1 13:07:41 PST 2005 

I agree, this could be a good way to handle the problem of malicious code, 
but what I wanted to propose was also a "human quality control". In fact, I 
see today that there is a lot of crap in the clipart (like broken or 0Kb 
files), and lots of files missing keywords, so they are defacto unfindable 
(pardon my english) and because of that unused (wich is almost the same as 
inexistant).

So cleaning, controling and adding keywords to every file would be a great 
improvement to the (poor) quality of today cliparts and at the same time an 
possibility to filter potential hacks.

I really think we should do it because the clipart is growing fast and if we 
keep it this way, one day we will end up with 1Gb of poor quality clipart 
that no one would handle to open file by file to correct.

Also, there are lots of clipart files that should be deleted because of 
their very poor quality or because they contain copyrighted graphics. Here 
are some examples:
- 
http://openclipart.org/clipart/computer/icons/battery_snuatautisticido_04.svg 
(doesn't really look like a battery...)
- 
http://openclipart.org/clipart/computer/icons/lemon-theme/mimetypes/exec_wine.svg 
(MS logo)
- 
http://openclipart.org/clipart/computer/icons/lemon-theme/actions/samba.svg 
(MS logo)
- http://openclipart.org/clipart/computer/icons/lemon-theme/apps/blender.svg 
(Blenger logo)
- http://openclipart.org/clipart/computer/icons/lemon-theme/apps/firefox.svg 
(Firefox logo, copyright Mozilla Corp.)
- http://openclipart.org/clipart//unsorted/mygraph_john_rariden_01.svg (not 
really a piece of clipart...)

By deleting crap, we could raise the overall quality of OpenClipart, so more 
people and organisations would find it interesting to use or distribute.

Thanks!

Mo.

----- Original Message ----- 
From: "Jurgentje" <jurgentje.linux at telenet.be>
To: "momo" <momo at lumenstudio.net>
Sent: Thursday, December 01, 2005 8:25 PM
Subject: Re: [Clipart] Hacking attempt?


> Ummm... pardon my simplicity...
>
> wouldn't it be enough to just check for proper extensions? I assume that 
> even PHP code or some frikkin' DirectX code won't get executed remotely if 
> the REAL extension is .svg?
>
> Just my 2 eurocent. ;)
>
> Jurgen.
>
> momo wrote:
>> AAAA!!!! you killled Winnie the POOH!!! It's horrible!!! Poor Winnie!!!
>>
>> :)))))))
>>
>> Now seriously: I think that it is a very big problem we have here, and it 
>> won't be the last attempt to attack or somehow "disturb" OpenClipart, so 
>> I have a question: Is there a possibility to manually check the code for 
>> each uploaded file? I mean creating a system where OpenClipart admins 
>> would have the possibility to log in, and see all the uploaded files to 
>> check them (check for malicious code, add keywords etc...) and then 
>> approve (or delete) these files. Once approoved, the files would be 
>> placed inside the clipart on the web and in the releases.
>>
>> After the Upload, the files would be just placed on the server (inside a 
>> folder on FTP for example.) When approved, they will then be submitted to 
>> the clipart. This way the first step (check and approoval/denial) will be 
>> like some sort of buffer between the clipart and the "potentially 
>> malicious" uploaders.
>>
>> Manually check the files is the only way to control the quality of the 
>> submitted clipart and I personally am ready to do it if I'll have the 
>> possibility.
>>
>> Thanks,
>>
>> Mo.
>>
>>
>>
>> ----- Original Message ----- From: "Jon Phillips" <jon at rejon.org>
>> To: <clipart at lists.freedesktop.org>
>> Cc: <webmaster at adufo>
>> Sent: Thursday, December 01, 2005 11:13 AM
>> Subject: Re: [Clipart] Hacking attempt?
>>
>>
>>> On Wed, 2005-11-30 at 16:02 -0800, Open Clip Art Library Feedback Form
>>> wrote:
>>>> Name: Arnaud GRANAL
>>>> E-mail: webmaster at aduf.org
>>>>
>>>>
>>>> Hello,
>>>>
>>>> I was looking for a clipart called "warning" on your website and I've
>>>> found the following file:
>>>> http://www.openclipart.org/incoming/winnie_the_pooh.svg.php
>>>>
>>>> This file seems to allow a remote attacker to execute commands on
>>>> your serveur.
>>>
>>> I killed it!
>>>
>>> -- 
>>> Jon Phillips
>>>
>>> San Francisco, CA
>>> USA PH 510.499.0894
>>> jon at rejon.org
>>> http://www.rejon.org
>>>
>>> MSN, AIM, Yahoo Chat: kidproto
>>> Jabber Chat: rejon at gristle.org
>>> IRC: rejon at irc.freenode.net
>>>
>>> Inkscape (http://inkscape.org)
>>> Open Clip Art Library (www.openclipart.org)
>>> Creative Commons (www.creativecommons.org)
>>> San Francisco Art Institute (www.sfai.edu)
>>>
>>> _______________________________________________
>>> clipart mailing list
>>> clipart at lists.freedesktop.org
>>> http://lists.freedesktop.org/mailman/listinfo/clipart
>>>
>>
>> _______________________________________________
>> clipart mailing list
>> clipart at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/clipart
>
>

More information about the clipart mailing list