You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Maxim Solodovnik (Jira)" <ji...@apache.org> on 2020/10/24 06:26:00 UTC

[jira] [Resolved] (WICKET-6846) wicket-ajax-jquery.js ActiveX control discovery - Unpatched Application

     [ https://issues.apache.org/jira/browse/WICKET-6846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Maxim Solodovnik resolved WICKET-6846.
--------------------------------------
    Resolution: Fixed

> wicket-ajax-jquery.js   ActiveX control discovery - Unpatched Application
> -------------------------------------------------------------------------
>
>                 Key: WICKET-6846
>                 URL: https://issues.apache.org/jira/browse/WICKET-6846
>             Project: Wicket
>          Issue Type: Task
>          Components: wicket
>    Affects Versions: 8.10.0
>         Environment: Windows 2012
>            Reporter: abbas ali
>            Assignee: Maxim Solodovnik
>            Priority: Minor
>              Labels: security
>             Fix For: 8.11.0
>
>   Original Estimate: 12h
>  Remaining Estimate: 12h
>
> In our environment, we use wicket-ajax-jquery.js library. Our WebInspect vulnerability scan reported the vulnerability "ActiveX control discovery - Unpatched Application". It says 
>  "Any application compiled using the vulnerable active template could be subject to code execution and information disclosure vulnerabilities".
>  
> Recommendations include applying any relevant service
>  pack or patch as listed in the Fix section, then recompiling and redistrubiting any software created prior to the update. If you
>  have already applied the proper fix, then this vulnerability can safely be ignored.
>  Ref:[https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035]
> [https://www.cvedetails.com/cve/CVE-2009-0901/]
>  
> May i check that ActiveXObject used in the below code (wicket-ajax-jquery.js ) is created with patched version of Visual studio and is it free from this vulnerability ?
>  
> ------
> (window.ActiveXObject){try
> {xmlDocument=new ActiveXObject ("Msxml2.DOMDocument.6.0")}
> catch(err6){try
> {xmlDocument=new ActiveXObject ("Msxml2.DOMDocument.5.0")}
> catch(err5){try
> {xmlDocument=new ActiveXObject ("Msxml2.DOMDocument.4.0")}
> catch(err4){try
> {xmlDocument=new ActiveXObject ("MSXML2.DOMDocument.3.0")}
> catch(err3){try
> {xmlDocument=new ActiveXObject ("Microsoft.XMLDOM")}
> catch(err2){Wicket.Log.error("Cannot create DOM



--
This message was sent by Atlassian Jira
(v8.3.4#803005)