You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wicket.apache.org by Martin Grigorov <mg...@apache.org> on 2012/03/22 10:52:30 UTC
[CVE-2012-1089] Apache Wicket serving of hidden files vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 1.4.x and 1.5.x
Description:
It is possible to view the content of any file of a web application by
using an Url to a Wicket resource which resolves to a 'null' package.
With such a Url the attacker can request the content of any file by specifying
its relative path, i.e. the attacker must know the file name to be able to
request it.
Mitigation:
Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides
a whitelist of allowed resources.
Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default
org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured
list of allowed file extensions.
Either setup SecurePackageResourceGuard with code like:
MyApp#init() {
...
SecurePackageResourceGuard guard = new SecurePackageResourceGuard();
guard.addPattern(...);
guard.addPattern(...);
...
getResourceSettings().setPackageResourceGuard(guard);
}
or upgrade to Apache Wicket 1.4.20 or 1.5.5.
Credit:
This issue was discovered by Sebastian van Erk.
Apache Wicket Team
Re: [CVE-2012-1089] Apache Wicket serving of hidden files vulnerability
Posted by Martin Grigorov <mg...@apache.org>.
I meant the root package.
Some.class.getPackage() == null
On Thu, Mar 22, 2012 at 4:31 PM, sauli.ketola <sa...@mbnet.fi> wrote:
> Could someone explain what is a 'null' package?
>
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/CVE-2012-1089-Apache-Wicket-serving-of-hidden-files-vulnerability-tp4495044p4495662.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: [CVE-2012-1089] Apache Wicket serving of hidden files
vulnerability
Posted by "sauli.ketola" <sa...@mbnet.fi>.
Could someone explain what is a 'null' package?
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/CVE-2012-1089-Apache-Wicket-serving-of-hidden-files-vulnerability-tp4495044p4495662.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org