You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by mg...@apache.org on 2012/03/22 11:03:35 UTC
svn commit: r1303708 - in /wicket/common/site/trunk: _posts/ _site/
_site/2011/03/25/ _site/2011/05/17/ _site/2012/03/22/ _site/learn/books/
_site/start/
Author: mgrigorov
Date: Thu Mar 22 10:03:34 2012
New Revision: 1303708
URL: http://svn.apache.org/viewvc?rev=1303708&view=rev
Log:
Add entries for CVE-2012-0047 and CVE-2012-1089
Added:
wicket/common/site/trunk/_posts/2012-03-22-wicket-cve-2012-0047.md
wicket/common/site/trunk/_posts/2012-03-22-wicket-cve-2012-1089.md
wicket/common/site/trunk/_site/2012/03/22/
wicket/common/site/trunk/_site/2012/03/22/wicket-cve-2012-0047.html
wicket/common/site/trunk/_site/2012/03/22/wicket-cve-2012-1089.html
Modified:
wicket/common/site/trunk/_site/2011/03/25/wicket-cookbook-published.html
wicket/common/site/trunk/_site/2011/05/17/wicket-cookbook-contest.html
wicket/common/site/trunk/_site/atom.xml
wicket/common/site/trunk/_site/index.html
wicket/common/site/trunk/_site/learn/books/index.html
wicket/common/site/trunk/_site/start/index.html
wicket/common/site/trunk/_site/start/quickstart.html
Added: wicket/common/site/trunk/_posts/2012-03-22-wicket-cve-2012-0047.md
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_posts/2012-03-22-wicket-cve-2012-0047.md?rev=1303708&view=auto
==============================================================================
--- wicket/common/site/trunk/_posts/2012-03-22-wicket-cve-2012-0047.md (added)
+++ wicket/common/site/trunk/_posts/2012-03-22-wicket-cve-2012-0047.md Thu Mar 22 10:03:34 2012
@@ -0,0 +1,25 @@
+---
+layout: post
+title: CVE-2012-0047 - Apache Wicket XSS vulnerability via pageMapName request parameter
+---
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache Wicket 1.4.x
+
+Apache Wicket 1.3.x and 1.5.x are not affected
+
+Description:
+A Cross Site Scripting (XSS) attack is possible by manipulating the
+value of 'wicket:pageMapName' request parameter.
+
+Mitigation:
+Upgrade to [Apache Wicket 1.4.20](http://wicket.apache.org/2012/03/12/wicket-1.4.20-released.html) or
+[Apache Wicket 1.5.5](http://wicket.apache.org/2012/03/12/wicket-1.5.5-released.html)
+
+Credit:
+This issue was discovered by Jens Schenck.
Added: wicket/common/site/trunk/_posts/2012-03-22-wicket-cve-2012-1089.md
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_posts/2012-03-22-wicket-cve-2012-1089.md?rev=1303708&view=auto
==============================================================================
--- wicket/common/site/trunk/_posts/2012-03-22-wicket-cve-2012-1089.md (added)
+++ wicket/common/site/trunk/_posts/2012-03-22-wicket-cve-2012-1089.md Thu Mar 22 10:03:34 2012
@@ -0,0 +1,46 @@
+---
+layout: post
+title: CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability
+---
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache Wicket 1.4.x and 1.5.x
+
+Description:
+It is possible to view the content of any file of a web application by
+using an Url to a Wicket resource which resolves to a 'null' package.
+With such a Url the attacker can request the content of any file by specifying
+its relative path, i.e. the attacker must know the file name to be able to
+request it.
+
+Mitigation:
+Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides
+a whitelist of allowed resources.
+Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default
+org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured
+list of allowed file extensions.
+Either setup SecurePackageResourceGuard with code like:
+
+{% highlight java %}
+public class MyApp extends WebApplication {
+ public void init() {
+ super.init();
+ SecurePackageResourceGuard guard = new SecurePackageResourceGuard();
+ guard.addPattern(...);
+ guard.addPattern(...);
+ getResourceSettings().setPackageResourceGuard(guard);
+ }
+}
+{% endhighlight %}
+
+or upgrade [Apache Wicket 1.4.20](http://wicket.apache.org/2012/03/12/wicket-1.4.20-released.html) or
+[Apache Wicket 1.5.5](http://wicket.apache.org/2012/03/12/wicket-1.5.5-released.html)
+
+
+Credit:
+This issue was discovered by Sebastian van Erk.
Modified: wicket/common/site/trunk/_site/2011/03/25/wicket-cookbook-published.html
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/2011/03/25/wicket-cookbook-published.html?rev=1303708&r1=1303707&r2=1303708&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/2011/03/25/wicket-cookbook-published.html (original)
+++ wicket/common/site/trunk/_site/2011/03/25/wicket-cookbook-published.html Thu Mar 22 10:03:34 2012
@@ -151,7 +151,7 @@
<div id="contentbody">
<h1>Apache Wicket Cookbook Published!</h1>
- <img style='float: left; margin-left: 10px; margin-right: 10px;' title='Apache Wicket Cookbook' width='180' height='222' alt='' src='http://wicket.apache.org/learn/books/awc.png' />
+ <img height='222' style='float: left; margin-left: 10px; margin-right: 10px;' alt='' width='180' src='http://wicket.apache.org/learn/books/awc.png' title='Apache Wicket Cookbook' />
<p>For the past nine months I have been quietly working on a book about Wicket. Unlike other books on the market this one does not attempt to teach you Wicket from the ground up. Instead, it is for developers who already know the basics and want to learn how to implement some of the more advanced use cases. Essentially, it contains recipes that show the reader how to implement solutions to some of, what I think are, the most commonly asked questions and stumbling blocks.</p>
<p>This morning I was informed that the book has been published! You can read more about it and pick up a copy on <a href='https://www.packtpub.com/apache-wicket-cookbook/book'>PACKT's Site</a>.</p>
Modified: wicket/common/site/trunk/_site/2011/05/17/wicket-cookbook-contest.html
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/2011/05/17/wicket-cookbook-contest.html?rev=1303708&r1=1303707&r2=1303708&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/2011/05/17/wicket-cookbook-contest.html (original)
+++ wicket/common/site/trunk/_site/2011/05/17/wicket-cookbook-contest.html Thu Mar 22 10:03:34 2012
@@ -151,7 +151,7 @@
<div id="contentbody">
<h1>Apache Wicket Cookbook Giveaway Contest</h1>
- <img style='float: left; margin-left: 10px; margin-right: 10px;' title='Apache Wicket Cookbook' width='90' height='111' alt='' src='http://wicket.apache.org/learn/books/awc.png' />
+ <img height='111' style='float: left; margin-left: 10px; margin-right: 10px;' alt='' width='90' src='http://wicket.apache.org/learn/books/awc.png' title='Apache Wicket Cookbook' />
<p>Packt Publishing has generously allowed me to give away a free copy of the ebook version of <a href='http://link.packtpub.com/AzN8N9'><strong>Apache Wicket Cookbook</strong></a> (http://link.packtpub.com/AzN8N9), and a <strong>free one year subscription</strong> to PacktLib. For details see the <a href='http://wicketinaction.com/2011/05/apache_wicket_cookbook_giveaway_contest'>contest announcement</a>.</p>
<p>Cheers,<br /> -Igor <br /><br /><br /><br /><br /><br /></p>
Added: wicket/common/site/trunk/_site/2012/03/22/wicket-cve-2012-0047.html
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/2012/03/22/wicket-cve-2012-0047.html?rev=1303708&view=auto
==============================================================================
--- wicket/common/site/trunk/_site/2012/03/22/wicket-cve-2012-0047.html (added)
+++ wicket/common/site/trunk/_site/2012/03/22/wicket-cve-2012-0047.html Thu Mar 22 10:03:34 2012
@@ -0,0 +1,177 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>Apache Wicket - CVE-2012-0047 - Apache Wicket XSS vulnerability via pageMapName request parameter</title>
+
+ <link rel="stylesheet" href="/css/screen.css" type="text/css" media="screen" />
+
+ <!--[if lt ie 7]>
+ <link rel="stylesheet" href="/css/ie.css" type="text/css" media="screen" />
+ <![endif]-->
+ <link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
+ <link rel="alternate" type="application/atom+xml" href="/atom.xml" />
+ <meta http-equiv="content-type" content="text/html;charset=utf-8" />
+</head>
+<body>
+<div id="container">
+ <div id="content">
+ <div id="header"><a href="/"><h1 id="logo"><span>Apache Wicket</span></h1></a></div>
+ <div id="navigation">
+ <h5><a name="Navigation-Wicket"></a>Meet Wicket</h5>
+ <ul>
+ <li>
+ <a href="/" title="Index">Home</a>
+ </li>
+ <li>
+ <a href="/meet/introduction.html" title="Introduction">Introduction</a>
+ </li>
+ <li>
+ <a href="/meet/features.html" title="Features">Features</a>
+ </li>
+ <li>
+ <a href="/meet/buzz.html" title="Buzz">Buzz</a>
+ </li>
+ <li>
+ <a href="/meet/vision.html" title="Vision">Vision</a>
+ </li>
+ <li>
+ <a href="/meet/blogs.html" title="Blogs">Blogs</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-GettingStarted" id="Navigation-GettingStarted"></a>Get Started
+ </h5>
+ <ul>
+ <li>
+ <a href="/start/download.html" title="Download Wicket">Download Wicket</a>
+ </li>
+ <li>
+ <a href="/start/quickstart.html" title="Getting started via a Maven Archetype">Quickstart</a>
+ </li>
+ <li>
+ <a href="http://www.jweekend.com/dev/LegUp" rel="nofollow">More archetypes</a>
+ </li>
+ <li>
+ <a href="/help" title="Get help">Get help</a>
+ </li>
+ <li>
+ <a href="/help/email.html" title="Wicket Mailing Lists">Mailing Lists</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Documentation" id="Navigation-Documentation"></a>Learn
+ </h5>
+ <ul>
+ <li>
+ <a href="/learn/examples" title="Examples">Examples</a>
+ </li>
+ <li>
+ <a href="http://wicketstuff.org/wicket14/compref/">Components</a>
+ </li>
+ <li>
+ <a href="/learn/projects/" title="Projects extending basic Wicket">Projects</a>
+ </li>
+ <li>
+ <a href="http://cwiki.apache.org/WICKET">Wiki</a>
+ </li>
+ <li>
+ <a href="http://cwiki.apache.org/WICKET/reference-library.html">Reference guide</a>
+ </li>
+ <li>
+ <a href="/learn/books" title="Books">Books</a>
+ </li>
+ <li>
+ <a href="/learn/ides.html" title="IDEs">IDE plugins</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Releases" id="Navigation-Releases"></a>Releases
+ </h5>
+ <ul>
+ <li>
+ <a href="http://www.apache.org/dyn/closer.cgi/wicket/1.5.5">Wicket 1.5</a>
+ (<a href="http://wicket.apache.org/apidocs/1.5" title="JavaDocs of the latest stable release - 1.5.x">docs</a>)
+ </li>
+ <li>
+ <a href="http://www.apache.org/dyn/closer.cgi/wicket/1.4.19">Wicket 1.4</a>
+ (<a href="http://ci.apache.org/projects/wicket/apidocs/1.4.x" title="JavaDocs of Apache Wicket 1.4.x">docs</a>)
+ </li>
+ <li>
+ <a href="http://www.apache.org/dyn/closer.cgi/wicket/1.3.7">Wicket 1.3</a>
+ (<a href="http://ci.apache.org/projects/wicket/apidocs/1.3.x" title="JavaDocs of Apache Wicket 1.3.x">docs</a>)
+ </li>
+ <li>
+ <a href="http://wicket.sf.net/wicket-1.2" class="external-link" rel="nofollow">Wicket 1.2</a>
+ </li>
+ <li>
+ <a href="http://wicket.sf.net/wicket-1.1" class="external-link" rel="nofollow">Wicket 1.1</a>
+ </li>
+ <li>
+ <a href="http://wicket.sf.net/wicket-1.0" class="external-link" rel="nofollow">Wicket 1.0</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Developers" id="Navigation-Developers"></a>Contribute
+ </h5>
+ <ul>
+ <li>
+ <a href="/contribute/write.html" title="Writing documentation">Writing docs</a>
+ </li>
+ <li>
+ <a href="/contribute/build.html" title="Building from SVN">Build Wicket</a>
+ </li>
+ <li>
+ <a href="/contribute/patch.html" title="Provide a patch">Provide a patch</a>
+ </li>
+ <li>
+ <a href="/contribute/release.html" title="Release Wicket">Release Wicket</a>
+ </li>
+ <li>
+ <a href="http://fisheye6.atlassian.com/browse/wicket" title="SVN Overview" class="external-link" rel="nofollow">Fisheye</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Apache" id="Navigation-Apache"></a>Apache
+ </h5>
+ <ul>
+ <li>
+ <a href="http://www.apache.org/" class="external-link" rel="nofollow">Apache</a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/licenses/" class="external-link" rel="nofollow">License</a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/foundation/sponsorship.html" class="external-link" rel="nofollow">Sponsorship</a>
+ </li>
+ <li>
+ <a href="http://apache.org/foundation/thanks.html" class="external-link" rel="nofollow">Thanks</a>
+ </li>
+ </ul>
+</div>
+
+ <div id="contentbody">
+ <h1>CVE-2012-0047 - Apache Wicket XSS vulnerability via pageMapName request parameter</h1>
+ <p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected: Apache Wicket 1.4.x</p>
+
+<p>Apache Wicket 1.3.x and 1.5.x are not affected</p>
+
+<p>Description: A Cross Site Scripting (XSS) attack is possible by manipulating the value of ‘wicket:pageMapName’ request parameter.</p>
+
+<p>Mitigation: Upgrade to <a href='http://wicket.apache.org/2012/03/12/wicket-1.4.20-released.html'>Apache Wicket 1.4.20</a> or <a href='http://wicket.apache.org/2012/03/12/wicket-1.5.5-released.html'>Apache Wicket 1.5.5</a></p>
+
+<p>Credit: This issue was discovered by Jens Schenck.</p>
+ </div>
+ <div id="clearer"></div>
+ <div id="footer"><span>
+Copyright © 2012 — The Apache Software Foundation. Apache Wicket,
+Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo
+are trademarks of The Apache Software Foundation. All other marks mentioned
+may be trademarks or registered trademarks of their respective owners.
+</span></div>
+
+ </div>
+</div>
+</body>
+</html>
Added: wicket/common/site/trunk/_site/2012/03/22/wicket-cve-2012-1089.html
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/2012/03/22/wicket-cve-2012-1089.html?rev=1303708&view=auto
==============================================================================
--- wicket/common/site/trunk/_site/2012/03/22/wicket-cve-2012-1089.html (added)
+++ wicket/common/site/trunk/_site/2012/03/22/wicket-cve-2012-1089.html Thu Mar 22 10:03:34 2012
@@ -0,0 +1,187 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>Apache Wicket - CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability</title>
+
+ <link rel="stylesheet" href="/css/screen.css" type="text/css" media="screen" />
+
+ <!--[if lt ie 7]>
+ <link rel="stylesheet" href="/css/ie.css" type="text/css" media="screen" />
+ <![endif]-->
+ <link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
+ <link rel="alternate" type="application/atom+xml" href="/atom.xml" />
+ <meta http-equiv="content-type" content="text/html;charset=utf-8" />
+</head>
+<body>
+<div id="container">
+ <div id="content">
+ <div id="header"><a href="/"><h1 id="logo"><span>Apache Wicket</span></h1></a></div>
+ <div id="navigation">
+ <h5><a name="Navigation-Wicket"></a>Meet Wicket</h5>
+ <ul>
+ <li>
+ <a href="/" title="Index">Home</a>
+ </li>
+ <li>
+ <a href="/meet/introduction.html" title="Introduction">Introduction</a>
+ </li>
+ <li>
+ <a href="/meet/features.html" title="Features">Features</a>
+ </li>
+ <li>
+ <a href="/meet/buzz.html" title="Buzz">Buzz</a>
+ </li>
+ <li>
+ <a href="/meet/vision.html" title="Vision">Vision</a>
+ </li>
+ <li>
+ <a href="/meet/blogs.html" title="Blogs">Blogs</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-GettingStarted" id="Navigation-GettingStarted"></a>Get Started
+ </h5>
+ <ul>
+ <li>
+ <a href="/start/download.html" title="Download Wicket">Download Wicket</a>
+ </li>
+ <li>
+ <a href="/start/quickstart.html" title="Getting started via a Maven Archetype">Quickstart</a>
+ </li>
+ <li>
+ <a href="http://www.jweekend.com/dev/LegUp" rel="nofollow">More archetypes</a>
+ </li>
+ <li>
+ <a href="/help" title="Get help">Get help</a>
+ </li>
+ <li>
+ <a href="/help/email.html" title="Wicket Mailing Lists">Mailing Lists</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Documentation" id="Navigation-Documentation"></a>Learn
+ </h5>
+ <ul>
+ <li>
+ <a href="/learn/examples" title="Examples">Examples</a>
+ </li>
+ <li>
+ <a href="http://wicketstuff.org/wicket14/compref/">Components</a>
+ </li>
+ <li>
+ <a href="/learn/projects/" title="Projects extending basic Wicket">Projects</a>
+ </li>
+ <li>
+ <a href="http://cwiki.apache.org/WICKET">Wiki</a>
+ </li>
+ <li>
+ <a href="http://cwiki.apache.org/WICKET/reference-library.html">Reference guide</a>
+ </li>
+ <li>
+ <a href="/learn/books" title="Books">Books</a>
+ </li>
+ <li>
+ <a href="/learn/ides.html" title="IDEs">IDE plugins</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Releases" id="Navigation-Releases"></a>Releases
+ </h5>
+ <ul>
+ <li>
+ <a href="http://www.apache.org/dyn/closer.cgi/wicket/1.5.5">Wicket 1.5</a>
+ (<a href="http://wicket.apache.org/apidocs/1.5" title="JavaDocs of the latest stable release - 1.5.x">docs</a>)
+ </li>
+ <li>
+ <a href="http://www.apache.org/dyn/closer.cgi/wicket/1.4.19">Wicket 1.4</a>
+ (<a href="http://ci.apache.org/projects/wicket/apidocs/1.4.x" title="JavaDocs of Apache Wicket 1.4.x">docs</a>)
+ </li>
+ <li>
+ <a href="http://www.apache.org/dyn/closer.cgi/wicket/1.3.7">Wicket 1.3</a>
+ (<a href="http://ci.apache.org/projects/wicket/apidocs/1.3.x" title="JavaDocs of Apache Wicket 1.3.x">docs</a>)
+ </li>
+ <li>
+ <a href="http://wicket.sf.net/wicket-1.2" class="external-link" rel="nofollow">Wicket 1.2</a>
+ </li>
+ <li>
+ <a href="http://wicket.sf.net/wicket-1.1" class="external-link" rel="nofollow">Wicket 1.1</a>
+ </li>
+ <li>
+ <a href="http://wicket.sf.net/wicket-1.0" class="external-link" rel="nofollow">Wicket 1.0</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Developers" id="Navigation-Developers"></a>Contribute
+ </h5>
+ <ul>
+ <li>
+ <a href="/contribute/write.html" title="Writing documentation">Writing docs</a>
+ </li>
+ <li>
+ <a href="/contribute/build.html" title="Building from SVN">Build Wicket</a>
+ </li>
+ <li>
+ <a href="/contribute/patch.html" title="Provide a patch">Provide a patch</a>
+ </li>
+ <li>
+ <a href="/contribute/release.html" title="Release Wicket">Release Wicket</a>
+ </li>
+ <li>
+ <a href="http://fisheye6.atlassian.com/browse/wicket" title="SVN Overview" class="external-link" rel="nofollow">Fisheye</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Apache" id="Navigation-Apache"></a>Apache
+ </h5>
+ <ul>
+ <li>
+ <a href="http://www.apache.org/" class="external-link" rel="nofollow">Apache</a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/licenses/" class="external-link" rel="nofollow">License</a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/foundation/sponsorship.html" class="external-link" rel="nofollow">Sponsorship</a>
+ </li>
+ <li>
+ <a href="http://apache.org/foundation/thanks.html" class="external-link" rel="nofollow">Thanks</a>
+ </li>
+ </ul>
+</div>
+
+ <div id="contentbody">
+ <h1>CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability</h1>
+ <p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected: Apache Wicket 1.4.x and 1.5.x</p>
+
+<p>Description: It is possible to view the content of any file of a web application by using an Url to a Wicket resource which resolves to a ‘null’ package. With such a Url the attacker can request the content of any file by specifying its relative path, i.e. the attacker must know the file name to be able to request it.</p>
+
+<p>Mitigation: Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides a whitelist of allowed resources. Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured list of allowed file extensions. Either setup SecurePackageResourceGuard with code like:</p>
+<div class='highlight'><pre><code class='java'><span class='kd'>public</span> <span class='kd'>class</span> <span class='nc'>MyApp</span> <span class='kd'>extends</span> <span class='n'>WebApplication</span> <span class='o'>{</span>
+ <span class='kd'>public</span> <span class='kt'>void</span> <span class='nf'>init</span><span class='o'>()</span> <span class='o'>{</span>
+ <span class='kd'>super</span><span class='o'>.</span><span class='na'>init</span><span class='o'>();</span>
+ <span class='n'>SecurePackageResourceGuard</span> <span class='n'>guard</span> <span class='o'>=</span> <span class='k'>new</span> <span class='n'>SecurePackageResourceGuard</span><span class='o'>();</span>
+ <span class='n'>guard</span><span class='o'>.</span><span class='na'>addPattern</span><span class='o'>(...);</span>
+ <span class='n'>guard</span><span class='o'>.</span><span class='na'>addPattern</span><span class='o'>(...);</span>
+ <span class='n'>getResourceSettings</span><span class='o'>().</span><span class='na'>setPackageResourceGuard</span><span class='o'>(</span><span class='n'>guard</span><span class='o'>);</span>
+ <span class='o'>}</span>
+<span class='o'>}</span>
+</code></pre>
+</div>
+<p>or upgrade <a href='http://wicket.apache.org/2012/03/12/wicket-1.4.20-released.html'>Apache Wicket 1.4.20</a> or <a href='http://wicket.apache.org/2012/03/12/wicket-1.5.5-released.html'>Apache Wicket 1.5.5</a></p>
+
+<p>Credit: This issue was discovered by Sebastian van Erk.</p>
+ </div>
+ <div id="clearer"></div>
+ <div id="footer"><span>
+Copyright © 2012 — The Apache Software Foundation. Apache Wicket,
+Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo
+are trademarks of The Apache Software Foundation. All other marks mentioned
+may be trademarks or registered trademarks of their respective owners.
+</span></div>
+
+ </div>
+</div>
+</body>
+</html>
Modified: wicket/common/site/trunk/_site/atom.xml
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/atom.xml?rev=1303708&r1=1303707&r2=1303708&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/atom.xml (original)
+++ wicket/common/site/trunk/_site/atom.xml Thu Mar 22 10:03:34 2012
@@ -4,7 +4,7 @@
<title>Apache Wicket</title>
<link href="http://wicket.apache.org/atom.xml" rel="self"/>
<link href="http://wicket.apache.org/"/>
- <updated>2012-03-12T17:47:32+02:00</updated>
+ <updated>2012-03-22T12:00:52+02:00</updated>
<id>http://wicket.apache.org/</id>
<author>
<name>Apache Wicket</name>
@@ -13,6 +13,52 @@
<entry>
+ <title>CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability</title>
+ <link href="http://wicket.apache.org/2012/03/22/wicket-cve-2012-1089.html"/>
+ <updated>2012-03-22T00:00:00+02:00</updated>
+ <id>http://wicket.apache.org/2012/03/22/wicket-cve-2012-1089</id>
+ <content type="html"><p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected: Apache Wicket 1.4.x and 1.5.x</p>
+
+<p>Description: It is possible to view the content of any file of a web application by using an Url to a Wicket resource which resolves to a &#8216;null&#8217; package. With such a Url the attacker can request the content of any file by specifying its relative path, i.e. the attacker must know the file name to be able to request it.</p>
+
+<p>Mitigation: Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides a whitelist of allowed resources. Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured list of allowed file extensions. Either setup SecurePackageResourceGuard with code like:</p>
+<div class='highlight'><pre><code class='java'><span class='kd'>public</span> <span class='kd'>class</span> <span class='nc'>MyApp</span> <span class='kd'>extends</span> <span class='n'>WebApplication</span> <span class='o'>{</span>
+ <span class='kd'>public</span> <span class='kt'>void</span> <span class='nf'>init</span><span class='o'>()</span> <span class='o'>{</span>
+ <span class='kd'>super</span><span class='o'>.</span><span class='na'>init</span><span class='o'>();</span>
+ <span class='n'>SecurePackageResourceGuard</span> <span class='n'>guard</span> <span class='o'>=</span> <span class='k'>new</span> <span class='n'>SecurePackageResourceGuard</span><span class='o'>();</span>
+ <span class='n'>guard</span><span class='o'>.</span><span class='na'>addPattern</span><span class='o'>(...);</span>
+ <span class='n'>guard</span><span class='o'>.</span><span class='na'>addPattern</span><span class='o'>(...);</span>
+ <span class='n'>getResourceSettings</span><span class='o'>().</span><span class='na'>setPackageResourceGuard</span><span class='o'>(</span><span class='n'>guard</span><span class='o'>);</span>
+ <span class='o'>}</span>
+<span class='o'>}</span>
+</code></pre>
+</div>
+<p>or upgrade <a href='http://wicket.apache.org/2012/03/12/wicket-1.4.20-released.html'>Apache Wicket 1.4.20</a> or <a href='http://wicket.apache.org/2012/03/12/wicket-1.5.5-released.html'>Apache Wicket 1.5.5</a></p>
+
+<p>Credit: This issue was discovered by Sebastian van Erk.</p></content>
+ </entry>
+
+ <entry>
+ <title>CVE-2012-0047 - Apache Wicket XSS vulnerability via pageMapName request parameter</title>
+ <link href="http://wicket.apache.org/2012/03/22/wicket-cve-2012-0047.html"/>
+ <updated>2012-03-22T00:00:00+02:00</updated>
+ <id>http://wicket.apache.org/2012/03/22/wicket-cve-2012-0047</id>
+ <content type="html"><p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected: Apache Wicket 1.4.x</p>
+
+<p>Apache Wicket 1.3.x and 1.5.x are not affected</p>
+
+<p>Description: A Cross Site Scripting (XSS) attack is possible by manipulating the value of &#8216;wicket:pageMapName&#8217; request parameter.</p>
+
+<p>Mitigation: Upgrade to <a href='http://wicket.apache.org/2012/03/12/wicket-1.4.20-released.html'>Apache Wicket 1.4.20</a> or <a href='http://wicket.apache.org/2012/03/12/wicket-1.5.5-released.html'>Apache Wicket 1.5.5</a></p>
+
+<p>Credit: This issue was discovered by Jens Schenck.</p></content>
+ </entry>
+
+ <entry>
<title>Wicket 1.5.5 released</title>
<link href="http://wicket.apache.org/2012/03/12/wicket-1.5.5-released.html"/>
<updated>2012-03-12T00:00:00+02:00</updated>
@@ -317,63 +363,4 @@
</div></content>
</entry>
- <entry>
- <title>Wicket 1.5-RC7 released</title>
- <link href="http://wicket.apache.org/2011/08/28/1.5-RC7-released.html"/>
- <updated>2011-08-28T00:00:00+03:00</updated>
- <id>http://wicket.apache.org/2011/08/28/1.5-RC7-released</id>
- <content type="html"><p>The Wicket Team is proud to introduce the seventh Release Candidate in Wicket 1.5 series. See the changelog for the list of bug fixes and improvements done between 1.5-RC5.1 and 1.5-RC7</p>
-
-<p>More detailed migration notes are available on our <a href='https://cwiki.apache.org/WICKET/migration-to-wicket-15.html'>Migrate to 1.5 Wiki Page</a></p>
-
-<p>Release Artifacts:</p>
-
-<ul>
-<li><a href='http://svn.apache.org/repos/asf/wicket/releases/wicket-1.5-RC7'>Subversion tag</a></li>
-
-<li><a href='https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310561&amp;version=12316657'>Changelog RC6</a></li>
-
-<li><a href='https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310561&amp;version=12317645'>Changelog RC7</a></li>
-
-<li>To use in Maven:</li>
-</ul>
-<div class='highlight'><pre><code class='xml'><span class='nt'>&lt;dependency&gt;</span>
- <span class='nt'>&lt;groupId&gt;</span>org.apache.wicket<span class='nt'>&lt;/groupId&gt;</span>
- <span class='nt'>&lt;artifactId&gt;</span>wicket-core<span class='nt'>&lt;/artifactId&gt;</span>
- <span class='nt'>&lt;version&gt;</span>1.5-RC7<span class='nt'>&lt;/version&gt;</span>
-<span class='nt'>&lt;/dependency&gt;</span>
-</code></pre>
-</div>
-<ul>
-<li>Download the <a href='http://www.apache.org/dyn/closer.cgi/wicket/1.5-RC7'>full distribution</a> (including source)</li>
-</ul></content>
- </entry>
-
- <entry>
- <title>CVE-2011-2712 - Apache Wicket XSS vulnerability</title>
- <link href="http://wicket.apache.org/2011/08/23/cve-2011-2712.html"/>
- <updated>2011-08-23T00:00:00+03:00</updated>
- <id>http://wicket.apache.org/2011/08/23/cve-2011-2712</id>
- <content type="html"><p>Vendor: The Apache Software Foundation</p>
-
-<p>Versions Affected: Apache Wicket 1.4.x</p>
-
-<p>Apache Wicket 1.3.x and 1.5-RCx are not affected</p>
-
-<p>Description: With multi window support application configuration and special query parameters it is possible to execute any kind of JavaScript on a site running with the affected versions.</p>
-
-<p>Mitigation: Either disable multi window support with</p>
-<div class='highlight'><pre><code class='java'><span class='kd'>public</span> <span class='kd'>class</span> <span class='nc'>MyApp</span> <span class='kd'>extends</span> <span class='n'>WebApplication</span> <span class='o'>{</span>
- <span class='kd'>public</span> <span class='kt'>void</span> <span class='nf'>init</span><span class='o'>()</span> <span class='o'>{</span>
- <span class='kd'>super</span><span class='o'>.</span><span class='na'>init</span><span class='o'>();</span>
- <span class='n'>getPageSettings</span><span class='o'>.</span><span class='na'>setAutomaticMultiWindowSupport</span><span class='o'>(</span><span class='kc'>false</span><span class='o'>);</span>
- <span class='o'>}</span>
-<span class='o'>}</span>
-</code></pre>
-</div>
-<p>or upgrade to <a href='http://wicket.apache.org/2011/08/09/wicket-1.4.18-released.html'>Apache Wicket 1.4.18</a> or <a href='http://wicket.apache.org/2011/06/25/wicket-1.5-RC5.1-released.html'>Apache Wicket 1.5-RC5.1</a></p>
-
-<p>Credit: This issue was discovered by Sven Krewitt of TÃV Rheinland i-sec GmbH.</p></content>
- </entry>
-
</feed>
Modified: wicket/common/site/trunk/_site/index.html
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/index.html?rev=1303708&r1=1303707&r2=1303708&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/index.html (original)
+++ wicket/common/site/trunk/_site/index.html Thu Mar 22 10:03:34 2012
@@ -173,38 +173,32 @@
<h1>Security announcement: CVE-2011-2712</h1>
<p>A XSS vulnerability has been found in Apache Wicket version 1.4. This is solved in Apache Wicket 1.4.18. Please upgrade your applications to this release. Wicket versions 1.3.x and 1.5.x are not affected by this vulnerability. <a href='2011/08/23/cve-2011-2712.html'>More information</a></p>
-<h1 id='wicket_155_released'><a href='/2012/03/12/wicket-1.5.5-released.html'>Wicket 1.5.5 released</a></h1>
-<p>This is the fifth maintenance release of the Wicket 1.5.x series. This release brings over 50 bug fixes and improvements.</p><ul>
-<li><a href='http://git-wip-us.apache.org/repos/asf/wicket/repo?p=wicket.git;a=shortlog;h=refs/tags/release/wicket-1.5.5'>Git tag</a></li>
-
-<li><a href='https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310561&version=12319052'>Changelog</a></li>
-
-<li>To use in Maven:</li>
-</ul><div class='highlight'><pre><code class='xml'><span class='nt'><dependency></span>
- <span class='nt'><groupId></span>org.apache.wicket<span class='nt'></groupId></span>
- <span class='nt'><artifactId></span>wicket-core<span class='nt'></artifactId></span>
- <span class='nt'><version></span>1.5.5<span class='nt'></version></span>
-<span class='nt'></dependency></span>
+<h1 id='cve20121089__apache_wicket_serving_of_hidden_files_vulnerability'><a href='/2012/03/22/wicket-cve-2012-1089.html'>CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability</a></h1>
+<p>Vendor: The Apache Software Foundation</p><p>Versions Affected: Apache Wicket 1.4.x and 1.5.x</p><p>Description: It is possible to view the content of any file of a web application by using an Url to a Wicket resource which resolves to a ‘null’ package. With such a Url the attacker can request the content of any file by specifying its relative path, i.e. the attacker must know the file name to be able to request it.</p><p>Mitigation: Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides a whitelist of allowed resources. Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured list of allowed file extensions. Either setup SecurePackageResourceGuard with code like:</p><div class='highlight'><pre><code class='java'><span class='kd'>public</span> <span class='kd'>class</span> <span class='nc'>MyApp</span> <span class='kd'>extends</span> <span class='n'>Web
Application</span> <span class='o'>{</span>
+ <span class='kd'>public</span> <span class='kt'>void</span> <span class='nf'>init</span><span class='o'>()</span> <span class='o'>{</span>
+ <span class='kd'>super</span><span class='o'>.</span><span class='na'>init</span><span class='o'>();</span>
+ <span class='n'>SecurePackageResourceGuard</span> <span class='n'>guard</span> <span class='o'>=</span> <span class='k'>new</span> <span class='n'>SecurePackageResourceGuard</span><span class='o'>();</span>
+ <span class='n'>guard</span><span class='o'>.</span><span class='na'>addPattern</span><span class='o'>(...);</span>
+ <span class='n'>guard</span><span class='o'>.</span><span class='na'>addPattern</span><span class='o'>(...);</span>
+ <span class='n'>getResourceSettings</span><span class='o'>().</span><span class='na'>setPackageResourceGuard</span><span class='o'>(</span><span class='n'>guard</span><span class='o'>);</span>
+ <span class='o'>}</span>
+<span class='o'>}</span>
</code></pre>
-</div><ul>
-<li>Download the <a href='http://www.apache.org/dyn/closer.cgi/wicket/1.5.5'>full distribution</a> (including source)</li>
-</ul>
-<h1 id='wicket_1420_released'><a href='/2012/03/12/wicket-1.4.20-released.html'>Wicket 1.4.20 released</a></h1>
-<p>This is twentieth release of the Wicket 1.4.x series. This is primarily a minor bugfix release on the 1.4.x (stable) branch.</p><ul>
-<li><a href='http://git-wip-us.apache.org/repos/asf/wicket/repo?p=wicket.git;a=shortlog;h=refs/tags/release/wicket-1.4.20'>Subversion tag</a></li>
-
-<li><a href='https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310561&version=12318545'>Changelog</a></li>
-
-<li>To use in Maven:</li>
-</ul><div class='highlight'><pre><code class='xml'><span class='nt'><dependency></span>
- <span class='nt'><groupId></span>org.apache.wicket<span class='nt'></groupId></span>
- <span class='nt'><artifactId></span>wicket<span class='nt'></artifactId></span>
- <span class='nt'><version></span>1.4.20<span class='nt'></version></span>
-<span class='nt'></dependency></span>
-</code></pre>
-</div><ul>
-<li>Download the <a href='http://www.apache.org/dyn/closer.cgi/wicket/1.4.20'>full distribution</a> (including source)</li>
-</ul><h1>Older news items</h1><ul>
+</div><p>or upgrade <a href='http://wicket.apache.org/2012/03/12/wicket-1.4.20-released.html'>Apache Wicket 1.4.20</a> or <a href='http://wicket.apache.org/2012/03/12/wicket-1.5.5-released.html'>Apache Wicket 1.5.5</a></p><p>Credit: This issue was discovered by Sebastian van Erk.</p>
+<h1 id='cve20120047__apache_wicket_xss_vulnerability_via_pagemapname_request_parameter'><a href='/2012/03/22/wicket-cve-2012-0047.html'>CVE-2012-0047 - Apache Wicket XSS vulnerability via pageMapName request parameter</a></h1>
+<p>Vendor: The Apache Software Foundation</p><p>Versions Affected: Apache Wicket 1.4.x</p><p>Apache Wicket 1.3.x and 1.5.x are not affected</p><p>Description: A Cross Site Scripting (XSS) attack is possible by manipulating the value of ‘wicket:pageMapName’ request parameter.</p><p>Mitigation: Upgrade to <a href='http://wicket.apache.org/2012/03/12/wicket-1.4.20-released.html'>Apache Wicket 1.4.20</a> or <a href='http://wicket.apache.org/2012/03/12/wicket-1.5.5-released.html'>Apache Wicket 1.5.5</a></p><p>Credit: This issue was discovered by Jens Schenck.</p><h1>Older news items</h1><ul>
+
+
+<li>
+ <a href='/2012/03/12/wicket-1.5.5-released.html'>Wicket 1.5.5 released</a> - <span>12 Mar 2012</span><br />
+ This is the fifth maintenance release of the Wicket 1.5.x series. This release brings over 50 bug fixes and improvements. Git tag Changelog To use...
+ <a href='/2012/03/12/wicket-1.5.5-released.html'>more</a></li>
+
+
+<li>
+ <a href='/2012/03/12/wicket-1.4.20-released.html'>Wicket 1.4.20 released</a> - <span>12 Mar 2012</span><br />
+ This is twentieth release of the Wicket 1.4.x series. This is primarily a minor bugfix release on the 1.4.x (stable) branch. Subversion tag Changelog To...
+ <a href='/2012/03/12/wicket-1.4.20-released.html'>more</a></li>
<li>
@@ -254,18 +248,6 @@
Vendor: The Apache Software Foundation Versions Affected: Apache Wicket 1.4.x Apache Wicket 1.3.x and 1.5-RCx are not affected Description: With multi window support application configuration...
<a href='/2011/08/23/cve-2011-2712.html'>more</a></li>
-
-<li>
- <a href='/2011/08/09/wicket-1.4.18-released.html'>Wicket 1.4.18 released</a> - <span>09 Aug 2011</span><br />
- This is eightteenth release of the Wicket 1.4.x series. This is primarily a minor bugfix release on the 1.4.x (stable) branch. Subversion tag Changelog To...
- <a href='/2011/08/09/wicket-1.4.18-released.html'>more</a></li>
-
-
-<li>
- <a href='/2011/06/25/wicket-1.5-RC5.1-released.html'>Wicket 1.5-RC5.1 released</a> - <span>25 Jun 2011</span><br />
- The Wicket Team is proud to introduce the fourth Release Candidate in Wicket 1.5 series. See the changelog for the list of bug fixes and...
- <a href='/2011/06/25/wicket-1.5-RC5.1-released.html'>more</a></li>
-
</ul>
<h1 id='books_about_wicket'>Books about Wicket</h1>
Modified: wicket/common/site/trunk/_site/learn/books/index.html
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/learn/books/index.html?rev=1303708&r1=1303707&r2=1303708&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/learn/books/index.html (original)
+++ wicket/common/site/trunk/_site/learn/books/index.html Thu Mar 22 10:03:34 2012
@@ -152,7 +152,7 @@
<div id="contentbody">
<h1>Books about Wicket</h1>
<p>Several books have been written about Apache Wicket, 4 in English, 2 in German and 1 in Japanese. Click on a cover to learn more about each book.</p>
-<a href='awc.html'><img title='Apache Wicket Cookbook' height='300px' alt='Apache Wicket Cookbook cover' src='awc.png' /></a><a href='wia.html'><img title='Wicket in Action' height='300px' alt='Wicket in Action cover' src='wia.png' /></a><a href='ewdww.html'><img title='Enjoying Web Development with Wicket' height='300px' alt='Enjoying Web Development with Wicket cover' src='ewdww.png' /></a><a href='prowicket.html'><img title='Pro Wicket' height='300px' alt='Pro Wicket cover' src='prowicket.png' /></a><a href='paxisbuchwicket.html'><img title='Praxisbuch Wicket' height='300px' alt='Praxisbuch Wicket cover' src='praxisbuchwicket.png' /></a><a href='kwij.html'><img title='Wicket: Komponentenbasierte Webanwendungen in Java' height='300px' alt='Wicket: Komponentenbasierte Webanwendungen in Java cover' src='kwij.png' /></a><a href='wicket-jp.html'><img title='Wicket Japanese' height='300px' alt='Wicket Japanese cover' src='wicket-jp.png' /></a>
+<a href='awc.html'><img height='300px' alt='Apache Wicket Cookbook cover' src='awc.png' title='Apache Wicket Cookbook' /></a><a href='wia.html'><img height='300px' alt='Wicket in Action cover' src='wia.png' title='Wicket in Action' /></a><a href='ewdww.html'><img height='300px' alt='Enjoying Web Development with Wicket cover' src='ewdww.png' title='Enjoying Web Development with Wicket' /></a><a href='prowicket.html'><img height='300px' alt='Pro Wicket cover' src='prowicket.png' title='Pro Wicket' /></a><a href='paxisbuchwicket.html'><img height='300px' alt='Praxisbuch Wicket cover' src='praxisbuchwicket.png' title='Praxisbuch Wicket' /></a><a href='kwij.html'><img height='300px' alt='Wicket: Komponentenbasierte Webanwendungen in Java cover' src='kwij.png' title='Wicket: Komponentenbasierte Webanwendungen in Java' /></a><a href='wicket-jp.html'><img height='300px' alt='Wicket Japanese cover' src='wicket-jp.png' title='Wicket Japanese' /></a>
</div>
<div id="clearer"></div>
<div id="footer"><span>
Modified: wicket/common/site/trunk/_site/start/index.html
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/start/index.html?rev=1303708&r1=1303707&r2=1303708&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/start/index.html (original)
+++ wicket/common/site/trunk/_site/start/index.html Thu Mar 22 10:03:34 2012
@@ -156,7 +156,7 @@
<li><a href='download.html'>Download</a> the latest and greatest Wicket release</li>
-<li>Or use one of the available third party <a href='http://www.jweekend.com/dev/LegUp' rel='nofollow'>Maven archetypes</a></li>
+<li>Or use one of the available third party <a rel='nofollow' href='http://www.jweekend.com/dev/LegUp'>Maven archetypes</a></li>
</ul>
</div>
<div id="clearer"></div>
Modified: wicket/common/site/trunk/_site/start/quickstart.html
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/start/quickstart.html?rev=1303708&r1=1303707&r2=1303708&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/start/quickstart.html (original)
+++ wicket/common/site/trunk/_site/start/quickstart.html Thu Mar 22 10:03:34 2012
@@ -193,12 +193,12 @@
}
</script><div id='mvncmd'>
<div>
- <label title='Base Package' for='groupId'>GroupId:</label>
- <input type='text' id='groupId' onkeyup='changeIt();' value='com.mycompany' /><span title='Base Package'> (?)</span><br />
- <label title='Project Name' for='artifactId'>ArtifactId:</label>
- <input type='text' id='artifactId' onkeyup='changeIt();' value='myproject' /><span title='Project Name'> (?)</span><br />
- <label title='Wicket Version' for='version'>Version:</label>
- <select id='version' onchange='changeIt();'>
+ <label for='groupId' title='Base Package'>GroupId:</label>
+ <input value='com.mycompany' id='groupId' type='text' onkeyup='changeIt();' /><span title='Base Package'> (?)</span><br />
+ <label for='artifactId' title='Project Name'>ArtifactId:</label>
+ <input value='myproject' id='artifactId' type='text' onkeyup='changeIt();' /><span title='Project Name'> (?)</span><br />
+ <label for='version' title='Wicket Version'>Version:</label>
+ <select onchange='changeIt();' id='version'>
<option value='6.0-SNAPSHOT'>6.0-SNAPSHOT</option>
@@ -217,7 +217,7 @@
- <option selected='selected' value='1.5.5'>1.5.5</option>
+ <option value='1.5.5' selected='selected'>1.5.5</option>
</select><span title='Wicket Version'> (?)</span>