lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Mar 2012 11:52:30 +0200 From: Martin Grigorov <mgrigorov@...che.org> To: announce@...ket.apache.org, users@...ket.apache.org, dev@...ket.apache.org Cc: security@...che.org, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: [CVE-2012-1089] Apache Wicket serving of hidden files vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Wicket 1.4.x and 1.5.x Description: It is possible to view the content of any file of a web application by using an Url to a Wicket resource which resolves to a 'null' package. With such a Url the attacker can request the content of any file by specifying its relative path, i.e. the attacker must know the file name to be able to request it. Mitigation: Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides a whitelist of allowed resources. Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured list of allowed file extensions. Either setup SecurePackageResourceGuard with code like: MyApp#init() { ... SecurePackageResourceGuard guard = new SecurePackageResourceGuard(); guard.addPattern(...); guard.addPattern(...); ... getResourceSettings().setPackageResourceGuard(guard); } or upgrade to Apache Wicket 1.4.20 or 1.5.5. Credit: This issue was discovered by Sebastian van Erk. Apache Wicket Team
Powered by blists - more mailing lists