content/2014/09/22/cve-2014-3526.html - wicket-site - Git at Google

 <!DOCTYPE html>
 <html>
 <head>
     <title>Apache Wicket - CVE-2014-3526 - Apache Wicket Information disclosure vulnerability</title>

 	<link rel="stylesheet" href="/css/screen.css" type="text/css" media="screen" />

     <!--[if lt ie 7]>
 	<link rel="stylesheet" href="/css/ie.css" type="text/css" media="screen" />
     <![endif]-->
     <link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
 	<link rel="alternate" type="application/atom+xml" href="/atom.xml" />
 	<meta http-equiv="content-type" content="text/html;charset=utf-8" />
 </head>
 <body>
 <div id="container">
     <div id="content">
         <div id="header"><a href="/"><h1 id="logo"><span>Apache Wicket</span></h1></a></div>
 		<div id="navigation">
 	<h5><a name="Navigation-Wicket"></a>Meet Wicket</h5>
 	<ul>
 		<li>
 			<a href="/" title="Index">Home</a>
 		</li>
 		<li>
 			<a href="/meet/introduction.html" title="Introduction">Introduction</a>
 		</li>
 		<li>
 			<a href="/meet/features.html" title="Features">Features</a>
 		</li>
 		<li>
 			<a href="/meet/buzz.html" title="Buzz">Buzz</a>
 		</li>
 		<li>
 			<a href="/meet/vision.html" title="Vision">Vision</a>
 		</li>
 		<li>
 			<a href="/meet/blogs.html" title="Blogs">Blogs</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-GettingStarted" id="Navigation-GettingStarted"></a>Get Started
 	</h5>
 	<ul>
 		<li>
 			<a href="/start/download.html" title="Download Wicket">Download Wicket</a>
 		</li>
 		<li>
 			<a href="/start/quickstart.html" title="Getting started via a Maven Archetype">Quickstart</a>
 		</li>
 		<li>
 			<a href="http://www.jweekend.com/dev/LegUp" rel="nofollow">More archetypes</a>
 		</li>
 		<li>
 			<a href="/help" title="Get help">Get help</a>
 		</li>
 		<li>
 			<a href="/help/email.html" title="Wicket Mailing Lists">Mailing Lists</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-Documentation" id="Navigation-Documentation"></a>Learn
 	</h5>
 	<ul>
 		<li>
 			<a href="/start/userguide.html" title="User Guide">User Guide</a>
 		</li>
 		<li>
 			<a href="/learn/examples" title="Examples">Examples</a>
 		</li>
 		<li>
 			<a href="http://www.wicket-library.com/wicket-examples/compref/">Components</a>
 		</li>
 		<li>
 			<a href="/learn/projects/" title="Projects extending basic Wicket">Projects</a>
 		</li>
 		<li>
 			<a href="https://cwiki.apache.org/confluence/display/WICKET">Wiki</a>
 		</li>
 		<li>
 			<a href="https://cwiki.apache.org/confluence/display/WICKET/Reference+library">Reference guide</a>
 		</li>
 		<li>
 			<a href="/learn/books" title="Books">Books</a>
 		</li>
 		<li>
 			<a href="/learn/ides.html" title="IDEs">IDEs</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-Releases" id="Navigation-Releases"></a>Releases
 	</h5>
 	<ul>
 		<li>
 			<a href="http://www.apache.org/dyn/closer.cgi/wicket/6.20.0">Wicket 6.20</a>
 		</li>
 		<li>
 			<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.5.13">Wicket 1.5</a>
 		</li>
 		<li>
 			<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.4.23">Wicket 1.4</a>
 		</li>
 		<li>
 			<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.3.7">Wicket 1.3</a>
 		</li>
 		<li>
 			<a href="http://wicket.sf.net/wicket-1.2" class="external-link" rel="nofollow">Wicket 1.2</a>
 		</li>
 		<li>
 			<a href="http://wicket.sf.net/wicket-1.1" class="external-link" rel="nofollow">Wicket 1.1</a>
 		</li>
 		<li>
 			<a href="http://wicket.sf.net/wicket-1.0" class="external-link" rel="nofollow">Wicket 1.0</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-Docs" id="Navigation-Docs"></a>API Docs
 	</h5>
 	<ul>
 		<li>
 			<a href="http://ci.apache.org/projects/wicket/apidocs/6.x/" title="JavaDocs of Apache Wicket 6.x">Wicket 6.x</a>
 		</li>
 		<li>
 			<a href="http://ci.apache.org/projects/wicket/apidocs/1.5.x/" title="JavaDocs of Apache Wicket 1.5.x">Wicket 1.5</a>
 		</li>
 		<li>
 			<a href="http://ci.apache.org/projects/wicket/apidocs/1.4.x" title="JavaDocs of Apache Wicket 1.4.x">Wicket 1.4</a>
 		</li>
 		<li>
 			<a href="http://ci.apache.org/projects/wicket/apidocs/1.3.x" title="JavaDocs of Apache Wicket 1.3.x">Wicket 1.3</a>
 		</li>
 	</ul>
 	<h5>Wicket 7.x</h5>
 	<ul>
 		<li>
 			<a href="http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M6">Download M6</a>
 		</li>
 		<li>
 			<a href="https://cwiki.apache.org/confluence/display/WICKET/Migration+to+Wicket+7.0">Migration guide</a>
 		</li>
 		<li>
 			<a href="http://ci.apache.org/projects/wicket/apidocs/7.x/" title="JavaDocs of Apache Wicket 7.x">API Docs 7.x</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-Developers" id="Navigation-Developers"></a>Contribute
 	</h5>
 	<ul>
 		<li>
 			<a href="/contribute/write.html" title="Writing documentation">Writing docs</a>
 		</li>
 		<li>
 			<a href="/contribute/build.html" title="Building from SVN">Build Wicket</a>
 		</li>
 		<li>
 			<a href="/contribute/patch.html" title="Provide a patch">Provide a patch</a>
 		</li>
 		<li>
 			<a href="/contribute/release.html" title="Release Wicket">Release Wicket</a>
 		</li>
 		<li>
 			<a href="https://fisheye6.atlassian.com/browse/wicket-git" title="Git Overview" class="external-link" rel="nofollow">Fisheye</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-Apache" id="Navigation-Apache"></a>Apache
 	</h5>
 	<ul>
 		<li>
 			<a href="http://www.apache.org/" class="external-link" rel="nofollow">Apache</a>
 		</li>
 		<li>
 			<a href="http://www.apache.org/licenses/" class="external-link" rel="nofollow">License</a>
 		</li>
 		<li>
 			<a href="http://www.apache.org/foundation/sponsorship.html" class="external-link" rel="nofollow">Sponsorship</a>
 		</li>
 		<li>
 			<a href="http://apache.org/foundation/thanks.html" class="external-link" rel="nofollow">Thanks</a>
 		</li>
 		<li>
 			<a href="/apache/friends.html" title="Apache projects using Wicket">Friends</a>
 		</li>
 	</ul>
 </div>

 		<div id="contentbody">
 			<h1>CVE-2014-3526 - Apache Wicket Information disclosure vulnerability</h1>
 			<p>Severity: Important</p>

 <p>Vendor:
 The Apache Software Foundation</p>

 <p>Versions Affected:
 Apache Wicket 1.5.11, 6.16.0 and 7.0.0-M2</p>

 <p>Description:</p>

 <p>When rendering a web page Wicket checks the request url against the one at the render time. It is possible the application to change the page parameters (this includes both the query parameters and parameters encoded into the request path). When the requested url differs with the one at the rendering time Wicket stores the response (i.e. the page markup) at the server side and issues an HTTP redirect to the new url. When the second request comes Wicket just flushes the stored response from the first request into the http output stream. This way the browser address bar shows the updated page parameters.
 When storing the page markup at the server side Wicket uses as an identifier a pair of the current session id plus the new url. However, Wicket does not check if user session is temporary (i.e. sessionId is null).
 This could lead to a security issue if two or more users with a temporary session are redirected to the same url at the same time. Then user1 might see the markup for user2 which has overridden the markup for user1 while user1 was following the HTTP redirect. In this way user-sensitive informations can be seen by other users.</p>

 <p>The application developers are recommended to upgrade to:
 - <a href="/2014/09/15/wicket-1.5.12-released.html">Apache Wicket 1.5.12</a>
 - <a href="/2014/08/24/wicket-6.17.0-released.html">Apache Wicket 6.17.0</a>
 - <a href="/2014/08/23/wicket-7.0.0-M3-released.html">Apache Wicket 7.0.0-M3</a></p>

 <p>Credit:
 This issue was reported by Andrea Del Bene and Martin Grigorov!</p>

 <p>Apache Wicket Team</p>

 		</div>
         <div id="clearer"></div>
 		<div id="footer"><span>
 Copyright &copy; 2015 &mdash; The Apache Software Foundation. Apache Wicket,
 Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo
 are trademarks of The Apache Software Foundation. All other marks mentioned
 may be trademarks or registered trademarks of their respective owners.
 </span></div>

     </div>
 </div>
 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<title>Apache Wicket - CVE-2014-3526 - Apache Wicket Information disclosure vulnerability</title>

	<link rel="stylesheet" href="/css/screen.css" type="text/css" media="screen" />

	<!--[if lt ie 7]>
	<link rel="stylesheet" href="/css/ie.css" type="text/css" media="screen" />
	<![endif]-->
	<link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
	<link rel="alternate" type="application/atom+xml" href="/atom.xml" />
	<meta http-equiv="content-type" content="text/html;charset=utf-8" />
	</head>
	<body>
	<div id="container">
	<div id="content">
	<div id="header"><a href="/"><h1 id="logo"><span>Apache Wicket</span></h1></a></div>
	<div id="navigation">
	<h5><a name="Navigation-Wicket"></a>Meet Wicket</h5>
	<ul>
	<li>
	<a href="/" title="Index">Home</a>
	</li>
	<li>
	<a href="/meet/introduction.html" title="Introduction">Introduction</a>
	</li>
	<li>
	<a href="/meet/features.html" title="Features">Features</a>
	</li>
	<li>
	<a href="/meet/buzz.html" title="Buzz">Buzz</a>
	</li>
	<li>
	<a href="/meet/vision.html" title="Vision">Vision</a>
	</li>
	<li>
	<a href="/meet/blogs.html" title="Blogs">Blogs</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-GettingStarted" id="Navigation-GettingStarted"></a>Get Started
	</h5>
	<ul>
	<li>
	<a href="/start/download.html" title="Download Wicket">Download Wicket</a>
	</li>
	<li>
	<a href="/start/quickstart.html" title="Getting started via a Maven Archetype">Quickstart</a>
	</li>
	<li>
	<a href="http://www.jweekend.com/dev/LegUp" rel="nofollow">More archetypes</a>
	</li>
	<li>
	<a href="/help" title="Get help">Get help</a>
	</li>
	<li>
	<a href="/help/email.html" title="Wicket Mailing Lists">Mailing Lists</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-Documentation" id="Navigation-Documentation"></a>Learn
	</h5>
	<ul>
	<li>
	<a href="/start/userguide.html" title="User Guide">User Guide</a>
	</li>
	<li>
	<a href="/learn/examples" title="Examples">Examples</a>
	</li>
	<li>
	<a href="http://www.wicket-library.com/wicket-examples/compref/">Components</a>
	</li>
	<li>
	<a href="/learn/projects/" title="Projects extending basic Wicket">Projects</a>
	</li>
	<li>
	<a href="https://cwiki.apache.org/confluence/display/WICKET">Wiki</a>
	</li>
	<li>
	<a href="https://cwiki.apache.org/confluence/display/WICKET/Reference+library">Reference guide</a>
	</li>
	<li>
	<a href="/learn/books" title="Books">Books</a>
	</li>
	<li>
	<a href="/learn/ides.html" title="IDEs">IDEs</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-Releases" id="Navigation-Releases"></a>Releases
	</h5>
	<ul>
	<li>
	<a href="http://www.apache.org/dyn/closer.cgi/wicket/6.20.0">Wicket 6.20</a>
	</li>
	<li>
	<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.5.13">Wicket 1.5</a>
	</li>
	<li>
	<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.4.23">Wicket 1.4</a>
	</li>
	<li>
	<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.3.7">Wicket 1.3</a>
	</li>
	<li>
	<a href="http://wicket.sf.net/wicket-1.2" class="external-link" rel="nofollow">Wicket 1.2</a>
	</li>
	<li>
	<a href="http://wicket.sf.net/wicket-1.1" class="external-link" rel="nofollow">Wicket 1.1</a>
	</li>
	<li>
	<a href="http://wicket.sf.net/wicket-1.0" class="external-link" rel="nofollow">Wicket 1.0</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-Docs" id="Navigation-Docs"></a>API Docs
	</h5>
	<ul>
	<li>
	<a href="http://ci.apache.org/projects/wicket/apidocs/6.x/" title="JavaDocs of Apache Wicket 6.x">Wicket 6.x</a>
	</li>
	<li>
	<a href="http://ci.apache.org/projects/wicket/apidocs/1.5.x/" title="JavaDocs of Apache Wicket 1.5.x">Wicket 1.5</a>
	</li>
	<li>
	<a href="http://ci.apache.org/projects/wicket/apidocs/1.4.x" title="JavaDocs of Apache Wicket 1.4.x">Wicket 1.4</a>
	</li>
	<li>
	<a href="http://ci.apache.org/projects/wicket/apidocs/1.3.x" title="JavaDocs of Apache Wicket 1.3.x">Wicket 1.3</a>
	</li>
	</ul>
	<h5>Wicket 7.x</h5>
	<ul>
	<li>
	<a href="http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M6">Download M6</a>
	</li>
	<li>
	<a href="https://cwiki.apache.org/confluence/display/WICKET/Migration+to+Wicket+7.0">Migration guide</a>
	</li>
	<li>
	<a href="http://ci.apache.org/projects/wicket/apidocs/7.x/" title="JavaDocs of Apache Wicket 7.x">API Docs 7.x</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-Developers" id="Navigation-Developers"></a>Contribute
	</h5>
	<ul>
	<li>
	<a href="/contribute/write.html" title="Writing documentation">Writing docs</a>
	</li>
	<li>
	<a href="/contribute/build.html" title="Building from SVN">Build Wicket</a>
	</li>
	<li>
	<a href="/contribute/patch.html" title="Provide a patch">Provide a patch</a>
	</li>
	<li>
	<a href="/contribute/release.html" title="Release Wicket">Release Wicket</a>
	</li>
	<li>
	<a href="https://fisheye6.atlassian.com/browse/wicket-git" title="Git Overview" class="external-link" rel="nofollow">Fisheye</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-Apache" id="Navigation-Apache"></a>Apache
	</h5>
	<ul>
	<li>
	<a href="http://www.apache.org/" class="external-link" rel="nofollow">Apache</a>
	</li>
	<li>
	<a href="http://www.apache.org/licenses/" class="external-link" rel="nofollow">License</a>
	</li>
	<li>
	<a href="http://www.apache.org/foundation/sponsorship.html" class="external-link" rel="nofollow">Sponsorship</a>
	</li>
	<li>
	<a href="http://apache.org/foundation/thanks.html" class="external-link" rel="nofollow">Thanks</a>
	</li>
	<li>
	<a href="/apache/friends.html" title="Apache projects using Wicket">Friends</a>
	</li>
	</ul>
	</div>

	<div id="contentbody">
	<h1>CVE-2014-3526 - Apache Wicket Information disclosure vulnerability</h1>
	<p>Severity: Important</p>

	<p>Vendor:
	The Apache Software Foundation</p>

	<p>Versions Affected:
	Apache Wicket 1.5.11, 6.16.0 and 7.0.0-M2</p>

	<p>Description:</p>

	<p>When rendering a web page Wicket checks the request url against the one at the render time. It is possible the application to change the page parameters (this includes both the query parameters and parameters encoded into the request path). When the requested url differs with the one at the rendering time Wicket stores the response (i.e. the page markup) at the server side and issues an HTTP redirect to the new url. When the second request comes Wicket just flushes the stored response from the first request into the http output stream. This way the browser address bar shows the updated page parameters.
	When storing the page markup at the server side Wicket uses as an identifier a pair of the current session id plus the new url. However, Wicket does not check if user session is temporary (i.e. sessionId is null).
	This could lead to a security issue if two or more users with a temporary session are redirected to the same url at the same time. Then user1 might see the markup for user2 which has overridden the markup for user1 while user1 was following the HTTP redirect. In this way user-sensitive informations can be seen by other users.</p>

	<p>The application developers are recommended to upgrade to:
	- <a href="/2014/09/15/wicket-1.5.12-released.html">Apache Wicket 1.5.12</a>
	- <a href="/2014/08/24/wicket-6.17.0-released.html">Apache Wicket 6.17.0</a>
	- <a href="/2014/08/23/wicket-7.0.0-M3-released.html">Apache Wicket 7.0.0-M3</a></p>

	<p>Credit:
	This issue was reported by Andrea Del Bene and Martin Grigorov!</p>

	<p>Apache Wicket Team</p>

	</div>
	<div id="clearer"></div>
	<div id="footer"><span>
	Copyright © 2015 — The Apache Software Foundation. Apache Wicket,
	Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo
	are trademarks of The Apache Software Foundation. All other marks mentioned
	may be trademarks or registered trademarks of their respective owners.
	</span></div>

	</div>
	</div>
	</body>
	</html>