You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wicket.apache.org by Sebastiaan van Erk <se...@sebster.com> on 2008/12/22 16:10:44 UTC
Security of SharedResourceRequestTarget
Hi All,
I've just run into what I consider a bit of a security issue with the
SharedResourceRequestTarget. It allows me to load files from the
/WEB-INF directory (though I have to guess the file names).
For example, if I see there is some bookmarkable page in the app with
the name com.myapp.pages.MyBookMarkablePage, I can request the following
URL:
http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
Replace log4j.xml with applicationContext.xml, or any other guesses for
useful files.
In both these files it is more than possible that there is sensitive
information such as database urls and passwords or mail server usernames
and passwords (though if you use a property configurator in Spring you
might be lucky since the password is then contained in a .properties
file, which is blocked by Wicket).
Of course there may be lots of other sensitive files in WEB-INF.
I know about the IPackageResourceGuard interface, however, only since
today, after looking into this problem. :-) I could build my own
implementation with a default deny policy and open up package resources
on a need to have basis. However, I REALLY think that Wicket should be
secure by default, and a better solution to this problem should be found...
Regards,
Sebastiaan
Re: Security of SharedResourceRequestTarget
Posted by Sebastiaan van Erk <se...@sebster.com>.
Ok, scratch that.
Overlooked a .toLowerCase(). :-) Sorry about that.
Regards,
Sebastiaan
Sebastiaan van Erk wrote:
> As a side note, the PackageResourceGuard which checks for the
> "properties" extension among others does not look to be failsafe either.
>
> At least in my development configuration the WebAppClassLoader of Tomcat
> which eventually resolves the resource returns a file: url to for
> example the .properties file.
>
> On certain systems where the file system is not case sensitive this
> would allow you to specify the resource as file.PROPERTIES and the file:
> resource would be correctly resolved and the PackgeResourceGuard would
> allow it.
>
> Fortunately resources to files inside a .war file or inside .jar files
> do seem to be case sensitive even on Windows.
>
> Regards,
> Sebastiaan
>
> Sebastiaan van Erk wrote:
>> Hi All,
>>
>> I've just run into what I consider a bit of a security issue with the
>> SharedResourceRequestTarget. It allows me to load files from the
>> /WEB-INF directory (though I have to guess the file names).
>>
>> For example, if I see there is some bookmarkable page in the app with
>> the name com.myapp.pages.MyBookMarkablePage, I can request the
>> following URL:
>>
>> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
>>
>>
>> Replace log4j.xml with applicationContext.xml, or any other guesses
>> for useful files.
>>
>> In both these files it is more than possible that there is sensitive
>> information such as database urls and passwords or mail server
>> usernames and passwords (though if you use a property configurator in
>> Spring you might be lucky since the password is then contained in a
>> .properties file, which is blocked by Wicket).
>>
>> Of course there may be lots of other sensitive files in WEB-INF.
>>
>> I know about the IPackageResourceGuard interface, however, only since
>> today, after looking into this problem. :-) I could build my own
>> implementation with a default deny policy and open up package
>> resources on a need to have basis. However, I REALLY think that Wicket
>> should be secure by default, and a better solution to this problem
>> should be found...
>>
>> Regards,
>> Sebastiaan
Re: Security of SharedResourceRequestTarget
Posted by Sebastiaan van Erk <se...@sebster.com>.
As a side note, the PackageResourceGuard which checks for the
"properties" extension among others does not look to be failsafe either.
At least in my development configuration the WebAppClassLoader of Tomcat
which eventually resolves the resource returns a file: url to for
example the .properties file.
On certain systems where the file system is not case sensitive this
would allow you to specify the resource as file.PROPERTIES and the file:
resource would be correctly resolved and the PackgeResourceGuard would
allow it.
Fortunately resources to files inside a .war file or inside .jar files
do seem to be case sensitive even on Windows.
Regards,
Sebastiaan
Sebastiaan van Erk wrote:
> Hi All,
>
> I've just run into what I consider a bit of a security issue with the
> SharedResourceRequestTarget. It allows me to load files from the
> /WEB-INF directory (though I have to guess the file names).
>
> For example, if I see there is some bookmarkable page in the app with
> the name com.myapp.pages.MyBookMarkablePage, I can request the following
> URL:
>
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
>
>
> Replace log4j.xml with applicationContext.xml, or any other guesses for
> useful files.
>
> In both these files it is more than possible that there is sensitive
> information such as database urls and passwords or mail server usernames
> and passwords (though if you use a property configurator in Spring you
> might be lucky since the password is then contained in a .properties
> file, which is blocked by Wicket).
>
> Of course there may be lots of other sensitive files in WEB-INF.
>
> I know about the IPackageResourceGuard interface, however, only since
> today, after looking into this problem. :-) I could build my own
> implementation with a default deny policy and open up package resources
> on a need to have basis. However, I REALLY think that Wicket should be
> secure by default, and a better solution to this problem should be found...
>
> Regards,
> Sebastiaan
Re: Security of SharedResourceRequestTarget
Posted by Sebastiaan van Erk <se...@sebster.com>.
Ok, done:
https://issues.apache.org/jira/browse/WICKET-1992
Regards,
Sebastiaan
Jeremy Thomerson wrote:
> Could you file a JIRA on this?
>
> On Mon, Dec 22, 2008 at 9:10 AM, Sebastiaan van Erk <se...@sebster.com>wrote:
>
>> Hi All,
>>
>> I've just run into what I consider a bit of a security issue with the
>> SharedResourceRequestTarget. It allows me to load files from the /WEB-INF
>> directory (though I have to guess the file names).
>>
>> For example, if I see there is some bookmarkable page in the app with the
>> name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
>>
>>
>> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
>>
>> Replace log4j.xml with applicationContext.xml, or any other guesses for
>> useful files.
>>
>> In both these files it is more than possible that there is sensitive
>> information such as database urls and passwords or mail server usernames and
>> passwords (though if you use a property configurator in Spring you might be
>> lucky since the password is then contained in a .properties file, which is
>> blocked by Wicket).
>>
>> Of course there may be lots of other sensitive files in WEB-INF.
>>
>> I know about the IPackageResourceGuard interface, however, only since
>> today, after looking into this problem. :-) I could build my own
>> implementation with a default deny policy and open up package resources on a
>> need to have basis. However, I REALLY think that Wicket should be secure by
>> default, and a better solution to this problem should be found...
>>
>> Regards,
>> Sebastiaan
>>
>
>
>
Re: Security of SharedResourceRequestTarget
Posted by Jeremy Thomerson <je...@wickettraining.com>.
Could you file a JIRA on this?
On Mon, Dec 22, 2008 at 9:10 AM, Sebastiaan van Erk <se...@sebster.com>wrote:
> Hi All,
>
> I've just run into what I consider a bit of a security issue with the
> SharedResourceRequestTarget. It allows me to load files from the /WEB-INF
> directory (though I have to guess the file names).
>
> For example, if I see there is some bookmarkable page in the app with the
> name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
>
>
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
>
> Replace log4j.xml with applicationContext.xml, or any other guesses for
> useful files.
>
> In both these files it is more than possible that there is sensitive
> information such as database urls and passwords or mail server usernames and
> passwords (though if you use a property configurator in Spring you might be
> lucky since the password is then contained in a .properties file, which is
> blocked by Wicket).
>
> Of course there may be lots of other sensitive files in WEB-INF.
>
> I know about the IPackageResourceGuard interface, however, only since
> today, after looking into this problem. :-) I could build my own
> implementation with a default deny policy and open up package resources on a
> need to have basis. However, I REALLY think that Wicket should be secure by
> default, and a better solution to this problem should be found...
>
> Regards,
> Sebastiaan
>
--
Jeremy Thomerson
http://www.wickettraining.com