You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "abbas ali (Jira)" <ji...@apache.org> on 2020/10/21 01:45:00 UTC

[jira] [Updated] (WICKET-6846) wicket-ajax-jquery.js ActiveX control discovery - Unpatched Application

     [ https://issues.apache.org/jira/browse/WICKET-6846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

abbas ali updated WICKET-6846:
------------------------------
    Description: 
In our environment, we use wicket-ajax-jquery.js library. Our WebInspect vulnerability scan reported the vulnerability "ActiveX control discovery - Unpatched Application". It says 
 "Any application compiled using the vulnerable active template could be subject to code execution and information disclosure vulnerabilities".

 

Recommendations include applying any relevant service
 pack or patch as listed in the Fix section, then recompiling and redistrubiting any software created prior to the update. If you
 have already applied the proper fix, then this vulnerability can safely be ignored.

 Ref:[https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035]

[https://www.cvedetails.com/cve/CVE-2009-0901/]

 

May i check that ActiveXObject used in the below code (wicket-ajax-jquery.js ) is created with patched version of Visual studio and is it free from this vulnerability ?

 

------

(window.ActiveXObject){try

{xmlDocument=new ActiveXObject ("Msxml2.DOMDocument.6.0")}

catch(err6){try

{xmlDocument=new ActiveXObject ("Msxml2.DOMDocument.5.0")}

catch(err5){try

{xmlDocument=new ActiveXObject ("Msxml2.DOMDocument.4.0")}

catch(err4){try

{xmlDocument=new ActiveXObject ("MSXML2.DOMDocument.3.0")}

catch(err3){try

{xmlDocument=new ActiveXObject ("Microsoft.XMLDOM")}

catch(err2){Wicket.Log.error("Cannot create DOM

  was:
In our environment, we use wicket-ajax-jquery.js library. Our WebInspect vulnerability scan reported the vulnerability "ActiveX control discovery - Unpatched Application". It says 
"Any application compiled using the vulnerable active template could be subject to code execution and information disclosure vulnerabilities".

 

Recommendations include applying any relevant service
pack or patch as listed in the Fix section, then recompiling and redistrubiting any software created prior to the update. If you
have already applied the proper fix, then this vulnerability can safely be ignored.

 

May i check that ActiveXObject used in the below code (wicket-ajax-jquery.js ) is created with patched version of Visual studio and is it free from this vulnerability ?

 

------

(window.ActiveXObject){try{xmlDocument=new ActiveXObject
("Msxml2.DOMDocument.6.0")}catch(err6){try{xmlDocument=new ActiveXObject
("Msxml2.DOMDocument.5.0")}catch(err5){try{xmlDocument=new ActiveXObject
("Msxml2.DOMDocument.4.0")}catch(err4){try{xmlDocument=new ActiveXObject
("MSXML2.DOMDocument.3.0")}catch(err3){try{xmlDocument=new ActiveXObject
("Microsoft.XMLDOM")}catch(err2){Wicket.Log.error("Cannot create DOM


> wicket-ajax-jquery.js   ActiveX control discovery - Unpatched Application
> -------------------------------------------------------------------------
>
>                 Key: WICKET-6846
>                 URL: https://issues.apache.org/jira/browse/WICKET-6846
>             Project: Wicket
>          Issue Type: Task
>          Components: wicket
>         Environment: Windows 2012
>            Reporter: abbas ali
>            Priority: Major
>              Labels: security
>   Original Estimate: 12h
>  Remaining Estimate: 12h
>
> In our environment, we use wicket-ajax-jquery.js library. Our WebInspect vulnerability scan reported the vulnerability "ActiveX control discovery - Unpatched Application". It says 
>  "Any application compiled using the vulnerable active template could be subject to code execution and information disclosure vulnerabilities".
>  
> Recommendations include applying any relevant service
>  pack or patch as listed in the Fix section, then recompiling and redistrubiting any software created prior to the update. If you
>  have already applied the proper fix, then this vulnerability can safely be ignored.
>  Ref:[https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035]
> [https://www.cvedetails.com/cve/CVE-2009-0901/]
>  
> May i check that ActiveXObject used in the below code (wicket-ajax-jquery.js ) is created with patched version of Visual studio and is it free from this vulnerability ?
>  
> ------
> (window.ActiveXObject){try
> {xmlDocument=new ActiveXObject ("Msxml2.DOMDocument.6.0")}
> catch(err6){try
> {xmlDocument=new ActiveXObject ("Msxml2.DOMDocument.5.0")}
> catch(err5){try
> {xmlDocument=new ActiveXObject ("Msxml2.DOMDocument.4.0")}
> catch(err4){try
> {xmlDocument=new ActiveXObject ("MSXML2.DOMDocument.3.0")}
> catch(err3){try
> {xmlDocument=new ActiveXObject ("Microsoft.XMLDOM")}
> catch(err2){Wicket.Log.error("Cannot create DOM



--
This message was sent by Atlassian Jira
(v8.3.4#803005)