You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "sergej m (JIRA)" <ji...@apache.org> on 2015/06/19 21:53:00 UTC

[jira] [Commented] (WICKET-5927) Velocity remote code execution

    [ https://issues.apache.org/jira/browse/WICKET-5927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14593865#comment-14593865 ] 

sergej m commented on WICKET-5927:
----------------------------------

Now I can show, that remote code execution ist possible. I created a sample project to show this problem und sent it to wicket security. I changed the ticket title to "Velocity remote code execution".

> Velocity remote code execution
> ------------------------------
>
>                 Key: WICKET-5927
>                 URL: https://issues.apache.org/jira/browse/WICKET-5927
>             Project: Wicket
>          Issue Type: Bug
>          Components: site
>            Reporter: sergej m
>            Assignee: Martin Grigorov
>            Priority: Critical
>             Fix For: 1.5.14, 6.21.0, 7.0.0-M7
>
>         Attachments: signature.asc
>
>
> Hello,
> arbitrary shellcode can be possibly executed, using e.g java.lang.Runtime.exec(String command) on wicket site:
> http://www.wicket-library.com/wicket-examples/velocity/wicket/bookmarkable/org.apache.wicket.examples.velocity.TemplatePage?3
> The server should use a secure config in org/apache/velocity/runtime/defaults/velocity.properties:
> runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector
> regards
> Sergej Michel



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)