content/news/2012/03/22/wicket-cve-2012-1089.html - wicket-site - Git at Google

 <!DOCTYPE html>
 <html>
     <head>
         <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
         <meta charset="utf-8">
         <title>CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability | Apache Wicket</title>
         <meta name="viewport" content="width=device-width, initial-scale=1" />

         <link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
         <link rel="stylesheet" href="/css/style.css" type="text/css" media="screen" />
         <link href="//maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" />

 		<script src="//code.jquery.com/jquery-1.11.3.min.js"></script>

     </head>

     <body class="">
         <div class="header default">
     <div class="l-container">
 <nav class="mainmenu">
     <ul>
 		<!-- /start/quickstart.html || /news/2012/03/22/wicket-cve-2012-1089.html -->
     	<li class=""><a href="/start/quickstart.html">Quick Start</a></li>
 		<!-- /start/download.html || /news/2012/03/22/wicket-cve-2012-1089.html -->
     	<li class=""><a href="/start/download.html">Download</a></li>
 		<!-- /learn || /news/2012/03/22/wicket-cve-2012-1089.html -->
     	<li class=""><a href="/learn">Documentation</a></li>
 		<!-- /help || /news/2012/03/22/wicket-cve-2012-1089.html -->
     	<li class=""><a href="/help">Support</a></li>
 		<!-- /contribute || /news/2012/03/22/wicket-cve-2012-1089.html -->
     	<li class=""><a href="/contribute">Contribute</a></li>
 		<!-- /community || /news/2012/03/22/wicket-cve-2012-1089.html -->
     	<li class=""><a href="/community">Community</a></li>
 		<!-- /apache || /news/2012/03/22/wicket-cve-2012-1089.html -->
     	<li class=""><a href="/apache">Apache</a></li>
     </ul>
 </nav>
         <div class="logo">
     <a href="/"><img src="/img/logo-apachewicket.svg" alt="Apache Wicket"></a>
 </div>
     </div>
 </div>
 <main>
     <div class="l-container">
         <header class="l-full preamble">
             <h1>CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability</h1>
         </header>
         <section class="toc left">
         </section>
         <section>
             <div class="l-full">
     <p class="meta">22 Mar 2012</p>
     <p>Severity: Important</p>
 <p>Vendor:
 The Apache Software Foundation</p>
 <p>Versions Affected:
 Apache Wicket 1.4.x and 1.5.x</p>
 <p>Description:
 It is possible to view the content of any file of a web application by
 using an Url to a Wicket resource which resolves to a ‘null’ package.
 With such a Url the attacker can request the content of any file by specifying
 its relative path, i.e. the attacker must know the file name to be able to
 request it.</p>
 <p>Mitigation:
 Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides
 a whitelist of allowed resources.
 Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default
 org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured
 list of allowed file extensions.
 Either setup SecurePackageResourceGuard with code like:</p>
 <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyApp</span> <span class="kd">extends</span> <span class="nc">WebApplication</span> <span class="o">{</span>
     <span class="kd">public</span> <span class="kt">void</span> <span class="nf">init</span><span class="o">()</span> <span class="o">{</span>
         <span class="kd">super</span><span class="o">.</span><span class="na">init</span><span class="o">();</span>
         <span class="nc">SecurePackageResourceGuard</span> <span class="n">guard</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SecurePackageResourceGuard</span><span class="o">();</span>
         <span class="n">guard</span><span class="o">.</span><span class="na">addPattern</span><span class="o">(...);</span>
         <span class="n">guard</span><span class="o">.</span><span class="na">addPattern</span><span class="o">(...);</span>
         <span class="n">getResourceSettings</span><span class="o">().</span><span class="na">setPackageResourceGuard</span><span class="o">(</span><span class="n">guard</span><span class="o">);</span>
     <span class="o">}</span>
 <span class="o">}</span></code></pre></figure>
 <p>or upgrade <a href="http://wicket.apache.org/news/2012/03/12/wicket-1.4.20-released.html">Apache Wicket 1.4.20</a> or
 <a href="http://wicket.apache.org/news/2012/03/12/wicket-1.5.5-released.html">Apache Wicket 1.5.5</a></p>
 <p>Credit:
 This issue was discovered by Sebastian van Erk.</p>
 </div>
         </section>
     </div>
 </main>
         <footer>
             <div class="l-container">
     <div class="left">
         <img src="/img/asf_logo_url.svg" style="height:90px; float:left; margin-right:10px;">
         <div style="margin-top:12px;">Copyright © 2020 — The Apache Software Foundation. Apache Wicket, Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</div>
     </div>
 </div>
         </footer>
     </body>

 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
	<meta charset="utf-8">
	<title>CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability \| Apache Wicket</title>
	<meta name="viewport" content="width=device-width, initial-scale=1" />

	<link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
	<link rel="stylesheet" href="/css/style.css" type="text/css" media="screen" />
	<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" />

	<script src="//code.jquery.com/jquery-1.11.3.min.js"></script>

	</head>

	<body class="">
	<div class="header default">
	<div class="l-container">
	<nav class="mainmenu">
	<ul>
	<!-- /start/quickstart.html \|\| /news/2012/03/22/wicket-cve-2012-1089.html -->
	<li class=""><a href="/start/quickstart.html">Quick Start</a></li>
	<!-- /start/download.html \|\| /news/2012/03/22/wicket-cve-2012-1089.html -->
	<li class=""><a href="/start/download.html">Download</a></li>
	<!-- /learn \|\| /news/2012/03/22/wicket-cve-2012-1089.html -->
	<li class=""><a href="/learn">Documentation</a></li>
	<!-- /help \|\| /news/2012/03/22/wicket-cve-2012-1089.html -->
	<li class=""><a href="/help">Support</a></li>
	<!-- /contribute \|\| /news/2012/03/22/wicket-cve-2012-1089.html -->
	<li class=""><a href="/contribute">Contribute</a></li>
	<!-- /community \|\| /news/2012/03/22/wicket-cve-2012-1089.html -->
	<li class=""><a href="/community">Community</a></li>
	<!-- /apache \|\| /news/2012/03/22/wicket-cve-2012-1089.html -->
	<li class=""><a href="/apache">Apache</a></li>
	</ul>
	</nav>
	<div class="logo">
	<a href="/"><img src="/img/logo-apachewicket.svg" alt="Apache Wicket"></a>
	</div>
	</div>
	</div>
	<main>
	<div class="l-container">
	<header class="l-full preamble">
	<h1>CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability</h1>
	</header>
	<section class="toc left">
	</section>
	<section>
	<div class="l-full">
	<p class="meta">22 Mar 2012</p>
	<p>Severity: Important</p>
	<p>Vendor:
	The Apache Software Foundation</p>
	<p>Versions Affected:
	Apache Wicket 1.4.x and 1.5.x</p>
	<p>Description:
	It is possible to view the content of any file of a web application by
	using an Url to a Wicket resource which resolves to a ‘null’ package.
	With such a Url the attacker can request the content of any file by specifying
	its relative path, i.e. the attacker must know the file name to be able to
	request it.</p>
	<p>Mitigation:
	Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides
	a whitelist of allowed resources.
	Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default
	org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured
	list of allowed file extensions.
	Either setup SecurePackageResourceGuard with code like:</p>
	<figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyApp</span> <span class="kd">extends</span> <span class="nc">WebApplication</span> <span class="o">{</span>
	<span class="kd">public</span> <span class="kt">void</span> <span class="nf">init</span><span class="o">()</span> <span class="o">{</span>
	<span class="kd">super</span><span class="o">.</span><span class="na">init</span><span class="o">();</span>
	<span class="nc">SecurePackageResourceGuard</span> <span class="n">guard</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SecurePackageResourceGuard</span><span class="o">();</span>
	<span class="n">guard</span><span class="o">.</span><span class="na">addPattern</span><span class="o">(...);</span>
	<span class="n">guard</span><span class="o">.</span><span class="na">addPattern</span><span class="o">(...);</span>
	<span class="n">getResourceSettings</span><span class="o">().</span><span class="na">setPackageResourceGuard</span><span class="o">(</span><span class="n">guard</span><span class="o">);</span>
	<span class="o">}</span>
	<span class="o">}</span></code></pre></figure>
	<p>or upgrade <a href="http://wicket.apache.org/news/2012/03/12/wicket-1.4.20-released.html">Apache Wicket 1.4.20</a> or
	<a href="http://wicket.apache.org/news/2012/03/12/wicket-1.5.5-released.html">Apache Wicket 1.5.5</a></p>
	<p>Credit:
	This issue was discovered by Sebastian van Erk.</p>
	</div>
	</section>
	</div>
	</main>
	<footer>
	<div class="l-container">
	<div class="left">
	<img src="/img/asf_logo_url.svg" style="height:90px; float:left; margin-right:10px;">
	<div style="margin-top:12px;">Copyright © 2020 — The Apache Software Foundation. Apache Wicket, Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</div>
	</div>
	</div>
	</footer>
	</body>

	</html>