| I"!<p>Severity: Important</p> |
| |
| <p>Vendor: |
| The Apache Software Foundation</p> |
| |
| <p>Versions Affected: |
| Apache Wicket 1.4.x</p> |
| |
| <p>Apache Wicket 1.3.x and 1.5-RCx are not affected</p> |
| |
| <p>Description: |
| With multi window support application configuration and special query parameters it is possible to execute any kind of JavaScript on a site running with the affected versions.</p> |
| |
| <p>Mitigation: |
| Either disable multi window support with</p> |
| |
| <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyApp</span> <span class="kd">extends</span> <span class="nc">WebApplication</span> <span class="o">{</span> |
| <span class="kd">public</span> <span class="kt">void</span> <span class="nf">init</span><span class="o">()</span> <span class="o">{</span> |
| <span class="kd">super</span><span class="o">.</span><span class="na">init</span><span class="o">();</span> |
| <span class="n">getPageSettings</span><span class="o">.</span><span class="na">setAutomaticMultiWindowSupport</span><span class="o">(</span><span class="kc">false</span><span class="o">);</span> |
| <span class="o">}</span> |
| <span class="o">}</span></code></pre></figure> |
| |
| <p>or upgrade to <a href="http://wicket.apache.org/news/2011/08/09/wicket-1.4.18-released.html">Apache Wicket 1.4.18</a> or |
| <a href="http://wicket.apache.org/news/2011/06/25/wicket-1.5-RC5.1-released.html">Apache Wicket 1.5-RC5.1</a></p> |
| |
| <p>Credit: |
| This issue was discovered by Sven Krewitt of TÜV Rheinland i-sec GmbH.</p> |
| :ET |