Google Git
Sign in
apache / wicket-site / a667e25c13654ade80aeefbf94c714279018ee12 / . / content / 2011 / 08 / 23 / cve-2011-2712.html
blob: 3f77d473b2eb58e896e66ef95bee0067d1c897a2 [file] [log] [blame]
<!DOCTYPE html>
<html>
<head>
<title>Apache Wicket - CVE-2011-2712 - Apache Wicket XSS vulnerability</title>
<link rel="stylesheet" href="/css/screen.css" type="text/css" media="screen" />
<!--[if lt ie 7]>
<link rel="stylesheet" href="/css/ie.css" type="text/css" media="screen" />
<![endif]-->
<link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
<link rel="alternate" type="application/atom+xml" href="/atom.xml" />
<meta http-equiv="content-type" content="text/html;charset=utf-8" />
</head>
<body>
<div id="container">
<div id="content">
<div id="header"><a href="/"><h1 id="logo"><span>Apache Wicket</span></h1></a></div>
<div id="navigation">
<h5><a name="Navigation-Wicket"></a>Meet Wicket</h5>
<ul>
<li>
<a href="/" title="Index">Home</a>
</li>
<li>
<a href="/meet/introduction.html" title="Introduction">Introduction</a>
</li>
<li>
<a href="/meet/features.html" title="Features">Features</a>
</li>
<li>
<a href="/meet/buzz.html" title="Buzz">Buzz</a>
</li>
<li>
<a href="/meet/vision.html" title="Vision">Vision</a>
</li>
<li>
<a href="/meet/blogs.html" title="Blogs">Blogs</a>
</li>
</ul>
<h5>
<a name="Navigation-GettingStarted" id="Navigation-GettingStarted"></a>Get Started
</h5>
<ul>
<li>
<a href="/start/download.html" title="Download Wicket">Download Wicket</a>
</li>
<li>
<a href="/start/quickstart.html" title="Getting started via a Maven Archetype">Quickstart</a>
</li>
<li>
<a href="http://www.jweekend.com/dev/LegUp" rel="nofollow">More archetypes</a>
</li>
<li>
<a href="/help" title="Get help">Get help</a>
</li>
<li>
<a href="/help/email.html" title="Wicket Mailing Lists">Mailing Lists</a>
</li>
</ul>
<h5>
<a name="Navigation-Documentation" id="Navigation-Documentation"></a>Learn
</h5>
<ul>
<li>
<a href="/start/userguide.html" title="User Guide">User Guide</a>
</li>
<li>
<a href="/learn/examples" title="Examples">Examples</a>
</li>
<li>
<a href="http://www.wicket-library.com/wicket-examples/compref/">Components</a>
</li>
<li>
<a href="/learn/projects/" title="Projects extending basic Wicket">Projects</a>
</li>
<li>
<a href="https://cwiki.apache.org/confluence/display/WICKET">Wiki</a>
</li>
<li>
<a href="https://cwiki.apache.org/confluence/display/WICKET/Reference+library">Reference guide</a>
</li>
<li>
<a href="/learn/books" title="Books">Books</a>
</li>
<li>
<a href="/learn/ides.html" title="IDEs">IDEs</a>
</li>
</ul>
<h5>
<a name="Navigation-Releases" id="Navigation-Releases"></a>Releases
</h5>
<ul>
<li>
<a href="http://www.apache.org/dyn/closer.cgi/wicket/6.20.0">Wicket 6.20</a>
</li>
<li>
<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.5.13">Wicket 1.5</a>
</li>
<li>
<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.4.23">Wicket 1.4</a>
</li>
<li>
<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.3.7">Wicket 1.3</a>
</li>
<li>
<a href="http://wicket.sf.net/wicket-1.2" class="external-link" rel="nofollow">Wicket 1.2</a>
</li>
<li>
<a href="http://wicket.sf.net/wicket-1.1" class="external-link" rel="nofollow">Wicket 1.1</a>
</li>
<li>
<a href="http://wicket.sf.net/wicket-1.0" class="external-link" rel="nofollow">Wicket 1.0</a>
</li>
</ul>
<h5>
<a name="Navigation-Docs" id="Navigation-Docs"></a>API Docs
</h5>
<ul>
<li>
<a href="http://ci.apache.org/projects/wicket/apidocs/6.x/" title="JavaDocs of Apache Wicket 6.x">Wicket 6.x</a>
</li>
<li>
<a href="http://ci.apache.org/projects/wicket/apidocs/1.5.x/" title="JavaDocs of Apache Wicket 1.5.x">Wicket 1.5</a>
</li>
<li>
<a href="http://ci.apache.org/projects/wicket/apidocs/1.4.x" title="JavaDocs of Apache Wicket 1.4.x">Wicket 1.4</a>
</li>
<li>
<a href="http://ci.apache.org/projects/wicket/apidocs/1.3.x" title="JavaDocs of Apache Wicket 1.3.x">Wicket 1.3</a>
</li>
</ul>
<h5>Wicket 7.x</h5>
<ul>
<li>
<a href="http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M6">Download M6</a>
</li>
<li>
<a href="https://cwiki.apache.org/confluence/display/WICKET/Migration+to+Wicket+7.0">Migration guide</a>
</li>
<li>
<a href="http://ci.apache.org/projects/wicket/apidocs/7.x/" title="JavaDocs of Apache Wicket 7.x">API Docs 7.x</a>
</li>
</ul>
<h5>
<a name="Navigation-Developers" id="Navigation-Developers"></a>Contribute
</h5>
<ul>
<li>
<a href="/contribute/write.html" title="Writing documentation">Writing docs</a>
</li>
<li>
<a href="/contribute/build.html" title="Building from SVN">Build Wicket</a>
</li>
<li>
<a href="/contribute/patch.html" title="Provide a patch">Provide a patch</a>
</li>
<li>
<a href="/contribute/release.html" title="Release Wicket">Release Wicket</a>
</li>
<li>
<a href="https://fisheye6.atlassian.com/browse/wicket-git" title="Git Overview" class="external-link" rel="nofollow">Fisheye</a>
</li>
</ul>
<h5>
<a name="Navigation-Apache" id="Navigation-Apache"></a>Apache
</h5>
<ul>
<li>
<a href="http://www.apache.org/" class="external-link" rel="nofollow">Apache</a>
</li>
<li>
<a href="http://www.apache.org/licenses/" class="external-link" rel="nofollow">License</a>
</li>
<li>
<a href="http://www.apache.org/foundation/sponsorship.html" class="external-link" rel="nofollow">Sponsorship</a>
</li>
<li>
<a href="http://apache.org/foundation/thanks.html" class="external-link" rel="nofollow">Thanks</a>
</li>
<li>
<a href="/apache/friends.html" title="Apache projects using Wicket">Friends</a>
</li>
</ul>
</div>
<div id="contentbody">
<h1>CVE-2011-2712 - Apache Wicket XSS vulnerability</h1>
<p>Severity: Important</p>
<p>Vendor:
The Apache Software Foundation</p>
<p>Versions Affected:
Apache Wicket 1.4.x</p>
<p>Apache Wicket 1.3.x and 1.5-RCx are not affected</p>
<p>Description:
With multi window support application configuration and special query parameters it is possible to execute any kind of JavaScript on a site running with the affected versions.</p>
<p>Mitigation:
Either disable multi window support with</p>
<div class="highlight"><pre><code class="language-java" data-lang="java"><span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyApp</span> <span class="kd">extends</span> <span class="n">WebApplication</span> <span class="o">{</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">init</span><span class="o">()</span> <span class="o">{</span>
<span class="kd">super</span><span class="o">.</span><span class="na">init</span><span class="o">();</span>
<span class="n">getPageSettings</span><span class="o">.</span><span class="na">setAutomaticMultiWindowSupport</span><span class="o">(</span><span class="kc">false</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span></code></pre></div>
<p>or upgrade to <a href="http://wicket.apache.org/2011/08/09/wicket-1.4.18-released.html">Apache Wicket 1.4.18</a> or
<a href="http://wicket.apache.org/2011/06/25/wicket-1.5-RC5.1-released.html">Apache Wicket 1.5-RC5.1</a></p>
<p>Credit:
This issue was discovered by Sven Krewitt of TÜV Rheinland i-sec GmbH.</p>
</div>
<div id="clearer"></div>
<div id="footer"><span>
Copyright &copy; 2015 &mdash; The Apache Software Foundation. Apache Wicket,
Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo
are trademarks of The Apache Software Foundation. All other marks mentioned
may be trademarks or registered trademarks of their respective owners.
</span></div>
</div>
</div>
</body>
</html>