[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] [CVE-2011-2712] Apache Wicket XSS vulnerability

To: Martin Grigorov <mgrigorov@xxxxxxxxxx>, "announce@xxxxxxxxxxxxxxxxx" <announce@xxxxxxxxxxxxxxxxx>, "users@xxxxxxxxxxxxxxxxx" <users@xxxxxxxxxxxxxxxxx>, "dev@xxxxxxxxxxxxxxxxx" <dev@xxxxxxxxxxxxxxxxx>, "security@xxxxxxxxxx" <security@xxxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] [CVE-2011-2712] Apache Wicket XSS vulnerability
From: Steven Nuhn <steve@xxxxxxxxxxxxxxxxxx>
Date: Thu, 25 Aug 2011 13:52:28 -0700

Martin Grigorov <mgrigorov@xxxxxxxxxx> wrote:


Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Wicket 1.4.x

Apache Wicket 1.3.x and 1.5-RCx are not affected

Description:
With multi window support application configuration and special query
parameters it
is possible to execute any kind of JavaScript on a site running with the
affected versions.

Mitigation:
Either disable multi window support with
org.apache.wicket.settings.IPageSettings.setAutomaticMultiWindowSupport(false)
or upgrade to Apache Wicket 1.4.18 or 1.5-RC5.1.

Credit:
This issue was discovered by Sven Krewitt of TÜV Rheinland i-sec GmbH.


Apache Wicket Team

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x17
Next by Date: Re: [Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x17
Previous by thread: Re: [Full-disclosure] HTTPKiller - (Global HTTP DoS)
Next by thread: [Full-disclosure] Paper - Dissecting Java Server Faces for Penetration Testing
Index(es):
- Date
- Thread