[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAMomwMrS+Wy_i0ciwCm=zw22QD2dPVCwxR3B3niM2X0e1KqYCQ@mail.gmail.com>
Date: Thu, 22 Mar 2012 11:52:30 +0200
From: Martin Grigorov <mgrigorov@...che.org>
To: announce@...ket.apache.org, users@...ket.apache.org, dev@...ket.apache.org
Cc: full-disclosure@...ts.grok.org.uk, security@...che.org,
bugtraq@...urityfocus.com
Subject: [CVE-2012-1089] Apache Wicket serving of hidden
files vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 1.4.x and 1.5.x
Description:
It is possible to view the content of any file of a web application by
using an Url to a Wicket resource which resolves to a 'null' package.
With such a Url the attacker can request the content of any file by specifying
its relative path, i.e. the attacker must know the file name to be able to
request it.
Mitigation:
Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides
a whitelist of allowed resources.
Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default
org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured
list of allowed file extensions.
Either setup SecurePackageResourceGuard with code like:
MyApp#init() {
...
SecurePackageResourceGuard guard = new SecurePackageResourceGuard();
guard.addPattern(...);
guard.addPattern(...);
...
getResourceSettings().setPackageResourceGuard(guard);
}
or upgrade to Apache Wicket 1.4.20 or 1.5.5.
Credit:
This issue was discovered by Sebastian van Erk.
Apache Wicket Team
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists