You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "sergej m (JIRA)" <ji...@apache.org> on 2015/06/19 21:53:00 UTC
[jira] [Commented] (WICKET-5927) Velocity remote code execution
[ https://issues.apache.org/jira/browse/WICKET-5927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14593865#comment-14593865 ]
sergej m commented on WICKET-5927:
----------------------------------
Now I can show, that remote code execution ist possible. I created a sample project to show this problem und sent it to wicket security. I changed the ticket title to "Velocity remote code execution".
> Velocity remote code execution
> ------------------------------
>
> Key: WICKET-5927
> URL: https://issues.apache.org/jira/browse/WICKET-5927
> Project: Wicket
> Issue Type: Bug
> Components: site
> Reporter: sergej m
> Assignee: Martin Grigorov
> Priority: Critical
> Fix For: 1.5.14, 6.21.0, 7.0.0-M7
>
> Attachments: signature.asc
>
>
> Hello,
> arbitrary shellcode can be possibly executed, using e.g java.lang.Runtime.exec(String command) on wicket site:
> http://www.wicket-library.com/wicket-examples/velocity/wicket/bookmarkable/org.apache.wicket.examples.velocity.TemplatePage?3
> The server should use a secure config in org/apache/velocity/runtime/defaults/velocity.properties:
> runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector
> regards
> Sergej Michel
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)