You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@wicket.apache.org by Sebastiaan van Erk <se...@sebster.com> on 2008/12/22 16:10:44 UTC

Security of SharedResourceRequestTarget

Hi All,

I've just run into what I consider a bit of a security issue with the 
SharedResourceRequestTarget. It allows me to load files from the 
/WEB-INF directory (though I have to guess the file names).

For example, if I see there is some bookmarkable page in the app with 
the name com.myapp.pages.MyBookMarkablePage, I can request the following 
URL:

http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml

Replace log4j.xml with applicationContext.xml, or any other guesses for 
useful files.

In both these files it is more than possible that there is sensitive 
information such as database urls and passwords or mail server usernames 
and passwords (though if you use a property configurator in Spring you 
might be lucky since the password is then contained in a .properties 
file, which is blocked by Wicket).

Of course there may be lots of other sensitive files in WEB-INF.

I know about the IPackageResourceGuard interface, however, only since 
today, after looking into this problem. :-) I could build my own 
implementation with a default deny policy and open up package resources 
on a need to have basis. However, I REALLY think that Wicket should be 
secure by default, and a better solution to this problem should be found...

Regards,
Sebastiaan

Re: Security of SharedResourceRequestTarget

Posted by Sebastiaan van Erk <se...@sebster.com>.

Ok, scratch that.

Overlooked a .toLowerCase(). :-) Sorry about that.

Regards,
Sebastiaan

Sebastiaan van Erk wrote:
> As a side note, the PackageResourceGuard which checks for the 
> "properties" extension among others does not look to be failsafe either.
> 
> At least in my development configuration the WebAppClassLoader of Tomcat 
> which eventually resolves the resource returns a file: url to for 
> example the .properties file.
> 
> On certain systems where the file system is not case sensitive this 
> would allow you to specify the resource as file.PROPERTIES and the file: 
> resource would be correctly resolved and the PackgeResourceGuard would 
> allow it.
> 
> Fortunately resources to files inside a .war file or inside .jar files 
> do seem to be case sensitive even on Windows.
> 
> Regards,
> Sebastiaan
> 
> Sebastiaan van Erk wrote:
>> Hi All,
>>
>> I've just run into what I consider a bit of a security issue with the 
>> SharedResourceRequestTarget. It allows me to load files from the 
>> /WEB-INF directory (though I have to guess the file names).
>>
>> For example, if I see there is some bookmarkable page in the app with 
>> the name com.myapp.pages.MyBookMarkablePage, I can request the 
>> following URL:
>>
>> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml 
>>
>>
>> Replace log4j.xml with applicationContext.xml, or any other guesses 
>> for useful files.
>>
>> In both these files it is more than possible that there is sensitive 
>> information such as database urls and passwords or mail server 
>> usernames and passwords (though if you use a property configurator in 
>> Spring you might be lucky since the password is then contained in a 
>> .properties file, which is blocked by Wicket).
>>
>> Of course there may be lots of other sensitive files in WEB-INF.
>>
>> I know about the IPackageResourceGuard interface, however, only since 
>> today, after looking into this problem. :-) I could build my own 
>> implementation with a default deny policy and open up package 
>> resources on a need to have basis. However, I REALLY think that Wicket 
>> should be secure by default, and a better solution to this problem 
>> should be found...
>>
>> Regards,
>> Sebastiaan

Re: Security of SharedResourceRequestTarget

Posted by Sebastiaan van Erk <se...@sebster.com>.

As a side note, the PackageResourceGuard which checks for the 
"properties" extension among others does not look to be failsafe either.

At least in my development configuration the WebAppClassLoader of Tomcat 
which eventually resolves the resource returns a file: url to for 
example the .properties file.

On certain systems where the file system is not case sensitive this 
would allow you to specify the resource as file.PROPERTIES and the file: 
resource would be correctly resolved and the PackgeResourceGuard would 
allow it.

Fortunately resources to files inside a .war file or inside .jar files 
do seem to be case sensitive even on Windows.

Regards,
Sebastiaan

Sebastiaan van Erk wrote:
> Hi All,
> 
> I've just run into what I consider a bit of a security issue with the 
> SharedResourceRequestTarget. It allows me to load files from the 
> /WEB-INF directory (though I have to guess the file names).
> 
> For example, if I see there is some bookmarkable page in the app with 
> the name com.myapp.pages.MyBookMarkablePage, I can request the following 
> URL:
> 
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml 
> 
> 
> Replace log4j.xml with applicationContext.xml, or any other guesses for 
> useful files.
> 
> In both these files it is more than possible that there is sensitive 
> information such as database urls and passwords or mail server usernames 
> and passwords (though if you use a property configurator in Spring you 
> might be lucky since the password is then contained in a .properties 
> file, which is blocked by Wicket).
> 
> Of course there may be lots of other sensitive files in WEB-INF.
> 
> I know about the IPackageResourceGuard interface, however, only since 
> today, after looking into this problem. :-) I could build my own 
> implementation with a default deny policy and open up package resources 
> on a need to have basis. However, I REALLY think that Wicket should be 
> secure by default, and a better solution to this problem should be found...
> 
> Regards,
> Sebastiaan

Re: Security of SharedResourceRequestTarget

Posted by Sebastiaan van Erk <se...@sebster.com>.

Ok, done:

https://issues.apache.org/jira/browse/WICKET-1992

Regards,
Sebastiaan

Jeremy Thomerson wrote:
> Could you file a JIRA on this?
> 
> On Mon, Dec 22, 2008 at 9:10 AM, Sebastiaan van Erk <se...@sebster.com>wrote:
> 
>> Hi All,
>>
>> I've just run into what I consider a bit of a security issue with the
>> SharedResourceRequestTarget. It allows me to load files from the /WEB-INF
>> directory (though I have to guess the file names).
>>
>> For example, if I see there is some bookmarkable page in the app with the
>> name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
>>
>>
>> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
>>
>> Replace log4j.xml with applicationContext.xml, or any other guesses for
>> useful files.
>>
>> In both these files it is more than possible that there is sensitive
>> information such as database urls and passwords or mail server usernames and
>> passwords (though if you use a property configurator in Spring you might be
>> lucky since the password is then contained in a .properties file, which is
>> blocked by Wicket).
>>
>> Of course there may be lots of other sensitive files in WEB-INF.
>>
>> I know about the IPackageResourceGuard interface, however, only since
>> today, after looking into this problem. :-) I could build my own
>> implementation with a default deny policy and open up package resources on a
>> need to have basis. However, I REALLY think that Wicket should be secure by
>> default, and a better solution to this problem should be found...
>>
>> Regards,
>> Sebastiaan
>>
> 
> 
>

Re: Security of SharedResourceRequestTarget

Posted by Jeremy Thomerson <je...@wickettraining.com>.

Could you file a JIRA on this?

On Mon, Dec 22, 2008 at 9:10 AM, Sebastiaan van Erk <se...@sebster.com>wrote:

> Hi All,
>
> I've just run into what I consider a bit of a security issue with the
> SharedResourceRequestTarget. It allows me to load files from the /WEB-INF
> directory (though I have to guess the file names).
>
> For example, if I see there is some bookmarkable page in the app with the
> name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
>
>
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
>
> Replace log4j.xml with applicationContext.xml, or any other guesses for
> useful files.
>
> In both these files it is more than possible that there is sensitive
> information such as database urls and passwords or mail server usernames and
> passwords (though if you use a property configurator in Spring you might be
> lucky since the password is then contained in a .properties file, which is
> blocked by Wicket).
>
> Of course there may be lots of other sensitive files in WEB-INF.
>
> I know about the IPackageResourceGuard interface, however, only since
> today, after looking into this problem. :-) I could build my own
> implementation with a default deny policy and open up package resources on a
> need to have basis. However, I REALLY think that Wicket should be secure by
> default, and a better solution to this problem should be found...
>
> Regards,
> Sebastiaan
>



-- 
Jeremy Thomerson
http://www.wickettraining.com