[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVE-2012-1089] Apache Wicket serving of hidden files vulnerability

To: announce@xxxxxxxxxxxxxxxxx, users@xxxxxxxxxxxxxxxxx, dev@xxxxxxxxxxxxxxxxx
Subject: [CVE-2012-1089] Apache Wicket serving of hidden files vulnerability
From: Martin Grigorov <mgrigorov@xxxxxxxxxx>
Date: Thu, 22 Mar 2012 11:52:30 +0200

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Wicket 1.4.x and 1.5.x

Description:
It is possible to view the content of any file of a web application by
using an Url to a Wicket resource which resolves to a 'null' package.
With such a Url the attacker can request the content of any file by specifying
its relative path, i.e. the attacker must know the file name to be able to
request it.

Mitigation:
Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides
a whitelist of allowed resources.
Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default
org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured
list of allowed file extensions.
Either setup SecurePackageResourceGuard with code like:

MyApp#init() {
  ...
  SecurePackageResourceGuard guard = new SecurePackageResourceGuard();
  guard.addPattern(...);
  guard.addPattern(...);
  ...
  getResourceSettings().setPackageResourceGuard(guard);
}

or upgrade to Apache Wicket 1.4.20 or 1.5.5.

Credit:
This issue was discovered by Sebastian van Erk.

Apache Wicket Team

Prev by Date: [CVE-2012-0047] Apache Wicket XSS vulnerability via pageMapName request parameter
Next by Date: Prado TJavaScript::encode() script injection vulnerability
Previous by thread: [CVE-2012-0047] Apache Wicket XSS vulnerability via pageMapName request parameter
Next by thread: Prado TJavaScript::encode() script injection vulnerability
Index(es):
- Date
- Thread