You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Martijn Dashorst (JIRA)" <ji...@apache.org> on 2015/07/05 22:20:05 UTC

[jira] [Updated] (WICKET-5927) Velocity remote code execution

     [ https://issues.apache.org/jira/browse/WICKET-5927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martijn Dashorst updated WICKET-5927:
-------------------------------------
    Fix Version/s:     (was: 7.0.0-M7)
                   7.0.0

> Velocity remote code execution
> ------------------------------
>
>                 Key: WICKET-5927
>                 URL: https://issues.apache.org/jira/browse/WICKET-5927
>             Project: Wicket
>          Issue Type: Bug
>          Components: site
>            Reporter: sergej m
>            Assignee: Martin Grigorov
>            Priority: Critical
>             Fix For: 7.0.0, 1.5.14, 6.21.0
>
>         Attachments: signature.asc
>
>
> Hello,
> arbitrary shellcode can be possibly executed, using e.g java.lang.Runtime.exec(String command) on wicket site:
> http://www.wicket-library.com/wicket-examples/velocity/wicket/bookmarkable/org.apache.wicket.examples.velocity.TemplatePage?3
> The server should use a secure config in org/apache/velocity/runtime/defaults/velocity.properties:
> runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector
> regards
> Sergej Michel



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)