You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Sebastiaan van Erk (JIRA)" <ji...@apache.org> on 2008/12/22 20:42:44 UTC

[jira] Created: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.
----------------------------------------------------------------------------------

                 Key: WICKET-1992
                 URL: https://issues.apache.org/jira/browse/WICKET-1992
             Project: Wicket
          Issue Type: Bug
    Affects Versions: 1.4-RC1
            Reporter: Sebastiaan van Erk
            Priority: Critical


Hi All,

I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).

For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:

http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml

Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.

In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).

Of course there may be lots of other sensitive files in WEB-INF.

I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...

Regards,
Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

Posted by "Juergen Donnerstag (JIRA)" <ji...@apache.org>.
    [ https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12712582#action_12712582 ] 

Juergen Donnerstag commented on WICKET-1992:
--------------------------------------------

waiting to apply until current junit test failures are fixed

> SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.
> ----------------------------------------------------------------------------------
>
>                 Key: WICKET-1992
>                 URL: https://issues.apache.org/jira/browse/WICKET-1992
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.3.5, 1.4-RC1
>            Reporter: Sebastiaan van Erk
>            Assignee: Juergen Donnerstag
>            Priority: Critical
>             Fix For: 1.3.7, 1.4-RC2
>
>         Attachments: wicket1992-1.3.6-jdk1.4.diff
>
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.
> In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...
> Regards,
> Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Reopened: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

Posted by "Igor Vaynberg (JIRA)" <ji...@apache.org>.
     [ https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Igor Vaynberg reopened WICKET-1992:
-----------------------------------


> SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.
> ----------------------------------------------------------------------------------
>
>                 Key: WICKET-1992
>                 URL: https://issues.apache.org/jira/browse/WICKET-1992
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.3.5, 1.4-RC1
>            Reporter: Sebastiaan van Erk
>            Assignee: Juergen Donnerstag
>            Priority: Critical
>             Fix For: 1.4-RC2
>
>         Attachments: wicket1992-1.3.6-jdk1.4.diff
>
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.
> In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...
> Regards,
> Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

Posted by "Juergen Donnerstag (JIRA)" <ji...@apache.org>.
     [ https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Juergen Donnerstag resolved WICKET-1992.
----------------------------------------

       Resolution: Fixed
    Fix Version/s: 1.4-RC2
         Assignee: Juergen Donnerstag

fixed

> SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.
> ----------------------------------------------------------------------------------
>
>                 Key: WICKET-1992
>                 URL: https://issues.apache.org/jira/browse/WICKET-1992
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.3.5, 1.4-RC1
>            Reporter: Sebastiaan van Erk
>            Assignee: Juergen Donnerstag
>            Priority: Critical
>             Fix For: 1.4-RC2
>
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.
> In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...
> Regards,
> Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

Posted by "Juergen Donnerstag (JIRA)" <ji...@apache.org>.
    [ https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12714873#action_12714873 ] 

Juergen Donnerstag commented on WICKET-1992:
--------------------------------------------

One junit test failed (expiry header) before applying the patch and the same test still failed after I applied the patch

> SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.
> ----------------------------------------------------------------------------------
>
>                 Key: WICKET-1992
>                 URL: https://issues.apache.org/jira/browse/WICKET-1992
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.3.5, 1.4-RC1
>            Reporter: Sebastiaan van Erk
>            Assignee: Juergen Donnerstag
>            Priority: Critical
>             Fix For: 1.3.7
>
>         Attachments: wicket1992-1.3.6-jdk1.4.diff
>
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.
> In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...
> Regards,
> Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

Posted by "Juergen Donnerstag (JIRA)" <ji...@apache.org>.
    [ https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12659471#action_12659471 ] 

Juergen Donnerstag commented on WICKET-1992:
--------------------------------------------

On your last point: A ResourceReference and PackageResource is created for each package (static) resource None of them is responsible or able to handle multiple files. Hence they can not control access to a library. 

> SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.
> ----------------------------------------------------------------------------------
>
>                 Key: WICKET-1992
>                 URL: https://issues.apache.org/jira/browse/WICKET-1992
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.3.5, 1.4-RC1
>            Reporter: Sebastiaan van Erk
>            Priority: Critical
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.
> In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...
> Regards,
> Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

Posted by "Juergen Donnerstag (JIRA)" <ji...@apache.org>.
    [ https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12659079#action_12659079 ] 

Juergen Donnerstag commented on WICKET-1992:
--------------------------------------------

according to my tests web.xml is not accessible. Wicket will through an IllegalArgumentException. That would mean that only files in web-inf/classes are accessible but not files in web-inf. 

log4j.properties is protected by PackageResourceGuard. But log4j.xml and applicationContext.xml are accessible => not good.

I agree with "Wicket should be secure by default". May be a solution could be:
- all resources registered with the application are allowed because the developer by purpose added it
- lazily loading resources without registration is deactivated by default. Can be enabled by devs at their own risk.
- PackageResourceGuard to deny access to any resource by default. Access can be granted per Package (with and without subpackages) and files (pattern)
- Add additional path/filename.extensions of well known config files to PackageResourceGuard which are denied by default and can not easily be removed from the list.

> SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.
> ----------------------------------------------------------------------------------
>
>                 Key: WICKET-1992
>                 URL: https://issues.apache.org/jira/browse/WICKET-1992
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.3.5, 1.4-RC1
>            Reporter: Sebastiaan van Erk
>            Priority: Critical
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.
> In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...
> Regards,
> Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

Posted by "Johan Compagner (JIRA)" <ji...@apache.org>.
    [ https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12659080#action_12659080 ] 

Johan Compagner commented on WICKET-1992:
-----------------------------------------

everything is now pretty lazy so the point:

> lazily loading resources without registration is deactivated by default. Can be enabled by devs at their own risk. 

will be horrible if we turn that back to what wicket was previously (that everything has to be loaded up front)
also over server restarts or clustering.  Then everything has to be done by the IInitializers again. Which most people dont use.


I think what could be disabled by default is this setting:

CharSequence getParentFolderPlaceholder();

By default i think that setting should be null.
Then wicket is way more safe by default because only resources that are in the same dir or in one of its children are accessible 
and those are default protectd by PackageResourceGuard (class/java/html/properties should be guarded i guess by default)
and then it is pretty safe because in those dirs users dont have sensitive config data. Only data that is really for that component.


Then in the doc of that get/set ParentFolderPlaceholder we should warn them that they also should set a right PackageResourceGuard if this property is set
because if the inherited dangers this property generates.

I dont think WEB-INF can be accessed either because looking at sebs url:

http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml 

this would be the dir:

http://www.mydomain.com/resources/MyBookMarkablePage/log4j.xml 

and that is the WEB-INF/classes dir not the WEB-INF itself
But in that dir there is a lot of config data also so going up just has to be disabled by default.




> SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.
> ----------------------------------------------------------------------------------
>
>                 Key: WICKET-1992
>                 URL: https://issues.apache.org/jira/browse/WICKET-1992
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.3.5, 1.4-RC1
>            Reporter: Sebastiaan van Erk
>            Priority: Critical
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.
> In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...
> Regards,
> Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

Posted by "Juergen Donnerstag (JIRA)" <ji...@apache.org>.
     [ https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Juergen Donnerstag resolved WICKET-1992.
----------------------------------------

       Resolution: Fixed
    Fix Version/s:     (was: 1.4-RC2)

applied provided backported patch to 1.3 trunk

> SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.
> ----------------------------------------------------------------------------------
>
>                 Key: WICKET-1992
>                 URL: https://issues.apache.org/jira/browse/WICKET-1992
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.3.5, 1.4-RC1
>            Reporter: Sebastiaan van Erk
>            Assignee: Juergen Donnerstag
>            Priority: Critical
>             Fix For: 1.3.7
>
>         Attachments: wicket1992-1.3.6-jdk1.4.diff
>
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.
> In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...
> Regards,
> Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

Posted by "Sebastiaan van Erk (JIRA)" <ji...@apache.org>.
    [ https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12659088#action_12659088 ] 

Sebastiaan van Erk commented on WICKET-1992:
--------------------------------------------

I agree that the WEB-INF dir itself is not accessible.

However, anything in the the classpath is, provided you are able to find a class with the correct classloader. Since Wicket does not generally hide classnames to the external world, in some cases (e.g., bookmarkable pages) that's easy.

I think the $up$ should be disabled, I don't really see the need for it and it's rather dangerous.

But I also think that's still not enough. Any jar in the WEB-INF/lib is a potential target for resources being accessible from the outside world, simply by finding/guessing a class in the target lib and asking it for the resource your are interested in.

I do not agree with:
> Then wicket is way more safe by default because only resources that are in the same dir or in one of its children are accessible
> and those are default protectd by PackageResourceGuard (class/java/html/properties should be guarded i guess by default)
> and then it is pretty safe because in those dirs users dont have sensitive config data. Only data that is really for that component. 

Because this assumes that the class you're using in the resource request is a component, but in fact in can be any class whatsover.

Personally I would prefer a default deny strategy where the resource class itself implements the IPackageResourceGuard interface. That is, the resource class ITSELF determines if the resource request is allowed. If the interface is not implemented, then it should default to not being allowed.

This way libraries can in an encapsulated way control access to resources in their own jar file/package hieararchy, but you can never request anything that is not expressly allowed.

> SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.
> ----------------------------------------------------------------------------------
>
>                 Key: WICKET-1992
>                 URL: https://issues.apache.org/jira/browse/WICKET-1992
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.3.5, 1.4-RC1
>            Reporter: Sebastiaan van Erk
>            Priority: Critical
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.
> In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...
> Regards,
> Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

Posted by "Martin Dietze (JIRA)" <ji...@apache.org>.
     [ https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martin Dietze updated WICKET-1992:
----------------------------------

    Attachment: wicket1992-1.3.6-jdk1.4.diff

I created a backport of this bugfix to wicket 1.3.6. The patch is appended to this bug. Use at your own risk :)

> SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.
> ----------------------------------------------------------------------------------
>
>                 Key: WICKET-1992
>                 URL: https://issues.apache.org/jira/browse/WICKET-1992
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.3.5, 1.4-RC1
>            Reporter: Sebastiaan van Erk
>            Assignee: Juergen Donnerstag
>            Priority: Critical
>             Fix For: 1.4-RC2
>
>         Attachments: wicket1992-1.3.6-jdk1.4.diff
>
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.
> In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...
> Regards,
> Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

Posted by "Igor Vaynberg (JIRA)" <ji...@apache.org>.
     [ https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Igor Vaynberg updated WICKET-1992:
----------------------------------

    Fix Version/s: 1.3.7

Juegen, can you apply the patch please? You did the original work...

> SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.
> ----------------------------------------------------------------------------------
>
>                 Key: WICKET-1992
>                 URL: https://issues.apache.org/jira/browse/WICKET-1992
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.3.5, 1.4-RC1
>            Reporter: Sebastiaan van Erk
>            Assignee: Juergen Donnerstag
>            Priority: Critical
>             Fix For: 1.3.7, 1.4-RC2
>
>         Attachments: wicket1992-1.3.6-jdk1.4.diff
>
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.
> In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...
> Regards,
> Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

Posted by "Juergen Donnerstag (JIRA)" <ji...@apache.org>.
    [ https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12659430#action_12659430 ] 

Juergen Donnerstag commented on WICKET-1992:
--------------------------------------------

see #wicket-1996 as well.

> SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.
> ----------------------------------------------------------------------------------
>
>                 Key: WICKET-1992
>                 URL: https://issues.apache.org/jira/browse/WICKET-1992
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.3.5, 1.4-RC1
>            Reporter: Sebastiaan van Erk
>            Priority: Critical
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.
> In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...
> Regards,
> Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

Posted by "Sebastiaan van Erk (JIRA)" <ji...@apache.org>.
     [ https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sebastiaan van Erk updated WICKET-1992:
---------------------------------------

    Affects Version/s: 1.3.5

> SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.
> ----------------------------------------------------------------------------------
>
>                 Key: WICKET-1992
>                 URL: https://issues.apache.org/jira/browse/WICKET-1992
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.3.5, 1.4-RC1
>            Reporter: Sebastiaan van Erk
>            Priority: Critical
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.
> In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...
> Regards,
> Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.