You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Martin Grigorov (JIRA)" <ji...@apache.org> on 2015/06/20 14:27:00 UTC

[jira] [Resolved] (WICKET-5927) Velocity remote code execution

     [ https://issues.apache.org/jira/browse/WICKET-5927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martin Grigorov resolved WICKET-5927.
-------------------------------------
    Resolution: Fixed

Wicket-Examples now uses custom velocity.properties so it doesn't allow usage of classloaders and thus prevents the vulnerability.

Applications should do the same if they need the same security.

Thanks for reporting!

> Velocity remote code execution
> ------------------------------
>
>                 Key: WICKET-5927
>                 URL: https://issues.apache.org/jira/browse/WICKET-5927
>             Project: Wicket
>          Issue Type: Bug
>          Components: site
>            Reporter: sergej m
>            Assignee: Martin Grigorov
>            Priority: Critical
>             Fix For: 1.5.14, 6.21.0, 7.0.0-M7
>
>         Attachments: signature.asc
>
>
> Hello,
> arbitrary shellcode can be possibly executed, using e.g java.lang.Runtime.exec(String command) on wicket site:
> http://www.wicket-library.com/wicket-examples/velocity/wicket/bookmarkable/org.apache.wicket.examples.velocity.TemplatePage?3
> The server should use a secure config in org/apache/velocity/runtime/defaults/velocity.properties:
> runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector
> regards
> Sergej Michel



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)