content/2012/03/22/wicket-cve-2012-1089.html - wicket-site - Git at Google

 <!DOCTYPE html>
 <html>
 <head>
     <title>Apache Wicket - CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability</title>

 	<link rel="stylesheet" href="/css/screen.css" type="text/css" media="screen" />

     <!--[if lt ie 7]>
 	<link rel="stylesheet" href="/css/ie.css" type="text/css" media="screen" />
     <![endif]-->
     <link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
 	<link rel="alternate" type="application/atom+xml" href="/atom.xml" />
 	<meta http-equiv="content-type" content="text/html;charset=utf-8" />
 </head>
 <body>
 <div id="container">
     <div id="content">
         <div id="header"><a href="/"><h1 id="logo"><span>Apache Wicket</span></h1></a></div>
 		<div id="navigation">
 	<h5><a name="Navigation-Wicket"></a>Meet Wicket</h5>
 	<ul>
 		<li>
 			<a href="/" title="Index">Home</a>
 		</li>
 		<li>
 			<a href="/meet/introduction.html" title="Introduction">Introduction</a>
 		</li>
 		<li>
 			<a href="/meet/features.html" title="Features">Features</a>
 		</li>
 		<li>
 			<a href="/meet/buzz.html" title="Buzz">Buzz</a>
 		</li>
 		<li>
 			<a href="/meet/vision.html" title="Vision">Vision</a>
 		</li>
 		<li>
 			<a href="/meet/blogs.html" title="Blogs">Blogs</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-GettingStarted" id="Navigation-GettingStarted"></a>Get Started
 	</h5>
 	<ul>
 		<li>
 			<a href="/start/download.html" title="Download Wicket">Download Wicket</a>
 		</li>
 		<li>
 			<a href="/start/quickstart.html" title="Getting started via a Maven Archetype">Quickstart</a>
 		</li>
 		<li>
 			<a href="http://www.jweekend.com/dev/LegUp" rel="nofollow">More archetypes</a>
 		</li>
 		<li>
 			<a href="/help" title="Get help">Get help</a>
 		</li>
 		<li>
 			<a href="/help/email.html" title="Wicket Mailing Lists">Mailing Lists</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-Documentation" id="Navigation-Documentation"></a>Learn
 	</h5>
 	<ul>
 		<li>
 			<a href="/start/userguide.html" title="User Guide">User Guide</a>
 		</li>
 		<li>
 			<a href="/learn/examples" title="Examples">Examples</a>
 		</li>
 		<li>
 			<a href="http://www.wicket-library.com/wicket-examples/compref/">Components</a>
 		</li>
 		<li>
 			<a href="/learn/projects/" title="Projects extending basic Wicket">Projects</a>
 		</li>
 		<li>
 			<a href="https://cwiki.apache.org/confluence/display/WICKET">Wiki</a>
 		</li>
 		<li>
 			<a href="https://cwiki.apache.org/confluence/display/WICKET/Reference+library">Reference guide</a>
 		</li>
 		<li>
 			<a href="/learn/books" title="Books">Books</a>
 		</li>
 		<li>
 			<a href="/learn/ides.html" title="IDEs">IDEs</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-Releases" id="Navigation-Releases"></a>Releases
 	</h5>
 	<ul>
 		<li>
 			<a href="http://www.apache.org/dyn/closer.cgi/wicket/6.20.0">Wicket 6.20</a>
 		</li>
 		<li>
 			<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.5.13">Wicket 1.5</a>
 		</li>
 		<li>
 			<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.4.23">Wicket 1.4</a>
 		</li>
 		<li>
 			<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.3.7">Wicket 1.3</a>
 		</li>
 		<li>
 			<a href="http://wicket.sf.net/wicket-1.2" class="external-link" rel="nofollow">Wicket 1.2</a>
 		</li>
 		<li>
 			<a href="http://wicket.sf.net/wicket-1.1" class="external-link" rel="nofollow">Wicket 1.1</a>
 		</li>
 		<li>
 			<a href="http://wicket.sf.net/wicket-1.0" class="external-link" rel="nofollow">Wicket 1.0</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-Docs" id="Navigation-Docs"></a>API Docs
 	</h5>
 	<ul>
 		<li>
 			<a href="http://ci.apache.org/projects/wicket/apidocs/6.x/" title="JavaDocs of Apache Wicket 6.x">Wicket 6.x</a>
 		</li>
 		<li>
 			<a href="http://ci.apache.org/projects/wicket/apidocs/1.5.x/" title="JavaDocs of Apache Wicket 1.5.x">Wicket 1.5</a>
 		</li>
 		<li>
 			<a href="http://ci.apache.org/projects/wicket/apidocs/1.4.x" title="JavaDocs of Apache Wicket 1.4.x">Wicket 1.4</a>
 		</li>
 		<li>
 			<a href="http://ci.apache.org/projects/wicket/apidocs/1.3.x" title="JavaDocs of Apache Wicket 1.3.x">Wicket 1.3</a>
 		</li>
 	</ul>
 	<h5>Wicket 7.x</h5>
 	<ul>
 		<li>
 			<a href="http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M6">Download M6</a>
 		</li>
 		<li>
 			<a href="https://cwiki.apache.org/confluence/display/WICKET/Migration+to+Wicket+7.0">Migration guide</a>
 		</li>
 		<li>
 			<a href="http://ci.apache.org/projects/wicket/apidocs/7.x/" title="JavaDocs of Apache Wicket 7.x">API Docs 7.x</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-Developers" id="Navigation-Developers"></a>Contribute
 	</h5>
 	<ul>
 		<li>
 			<a href="/contribute/write.html" title="Writing documentation">Writing docs</a>
 		</li>
 		<li>
 			<a href="/contribute/build.html" title="Building from SVN">Build Wicket</a>
 		</li>
 		<li>
 			<a href="/contribute/patch.html" title="Provide a patch">Provide a patch</a>
 		</li>
 		<li>
 			<a href="/contribute/release.html" title="Release Wicket">Release Wicket</a>
 		</li>
 		<li>
 			<a href="https://fisheye6.atlassian.com/browse/wicket-git" title="Git Overview" class="external-link" rel="nofollow">Fisheye</a>
 		</li>
 	</ul>
 	<h5>
 		<a name="Navigation-Apache" id="Navigation-Apache"></a>Apache
 	</h5>
 	<ul>
 		<li>
 			<a href="http://www.apache.org/" class="external-link" rel="nofollow">Apache</a>
 		</li>
 		<li>
 			<a href="http://www.apache.org/licenses/" class="external-link" rel="nofollow">License</a>
 		</li>
 		<li>
 			<a href="http://www.apache.org/foundation/sponsorship.html" class="external-link" rel="nofollow">Sponsorship</a>
 		</li>
 		<li>
 			<a href="http://apache.org/foundation/thanks.html" class="external-link" rel="nofollow">Thanks</a>
 		</li>
 		<li>
 			<a href="/apache/friends.html" title="Apache projects using Wicket">Friends</a>
 		</li>
 	</ul>
 </div>

 		<div id="contentbody">
 			<h1>CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability</h1>
 			<p>Severity: Important</p>

 <p>Vendor:
 The Apache Software Foundation</p>

 <p>Versions Affected:
 Apache Wicket 1.4.x and 1.5.x</p>

 <p>Description:
 It is possible to view the content of any file of a web application by
 using an Url to a Wicket resource which resolves to a ‘null’ package.
 With such a Url the attacker can request the content of any file by specifying
 its relative path, i.e. the attacker must know the file name to be able to
 request it.</p>

 <p>Mitigation:
 Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides
 a whitelist of allowed resources.
 Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default
 org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured
 list of allowed file extensions.
 Either setup SecurePackageResourceGuard with code like:</p>

 <div class="highlight"><pre><code class="language-java" data-lang="java"><span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyApp</span> <span class="kd">extends</span> <span class="n">WebApplication</span> <span class="o">{</span>
     <span class="kd">public</span> <span class="kt">void</span> <span class="nf">init</span><span class="o">()</span> <span class="o">{</span>
         <span class="kd">super</span><span class="o">.</span><span class="na">init</span><span class="o">();</span>
         <span class="n">SecurePackageResourceGuard</span> <span class="n">guard</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">SecurePackageResourceGuard</span><span class="o">();</span>
         <span class="n">guard</span><span class="o">.</span><span class="na">addPattern</span><span class="o">(...);</span>
         <span class="n">guard</span><span class="o">.</span><span class="na">addPattern</span><span class="o">(...);</span>
         <span class="n">getResourceSettings</span><span class="o">().</span><span class="na">setPackageResourceGuard</span><span class="o">(</span><span class="n">guard</span><span class="o">);</span>
     <span class="o">}</span>
 <span class="o">}</span></code></pre></div>

 <p>or upgrade <a href="http://wicket.apache.org/2012/03/12/wicket-1.4.20-released.html">Apache Wicket 1.4.20</a> or
 <a href="http://wicket.apache.org/2012/03/12/wicket-1.5.5-released.html">Apache Wicket 1.5.5</a></p>

 <p>Credit:
 This issue was discovered by Sebastian van Erk.</p>

 		</div>
         <div id="clearer"></div>
 		<div id="footer"><span>
 Copyright &copy; 2015 &mdash; The Apache Software Foundation. Apache Wicket,
 Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo
 are trademarks of The Apache Software Foundation. All other marks mentioned
 may be trademarks or registered trademarks of their respective owners.
 </span></div>

     </div>
 </div>
 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<title>Apache Wicket - CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability</title>

	<link rel="stylesheet" href="/css/screen.css" type="text/css" media="screen" />

	<!--[if lt ie 7]>
	<link rel="stylesheet" href="/css/ie.css" type="text/css" media="screen" />
	<![endif]-->
	<link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
	<link rel="alternate" type="application/atom+xml" href="/atom.xml" />
	<meta http-equiv="content-type" content="text/html;charset=utf-8" />
	</head>
	<body>
	<div id="container">
	<div id="content">
	<div id="header"><a href="/"><h1 id="logo"><span>Apache Wicket</span></h1></a></div>
	<div id="navigation">
	<h5><a name="Navigation-Wicket"></a>Meet Wicket</h5>
	<ul>
	<li>
	<a href="/" title="Index">Home</a>
	</li>
	<li>
	<a href="/meet/introduction.html" title="Introduction">Introduction</a>
	</li>
	<li>
	<a href="/meet/features.html" title="Features">Features</a>
	</li>
	<li>
	<a href="/meet/buzz.html" title="Buzz">Buzz</a>
	</li>
	<li>
	<a href="/meet/vision.html" title="Vision">Vision</a>
	</li>
	<li>
	<a href="/meet/blogs.html" title="Blogs">Blogs</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-GettingStarted" id="Navigation-GettingStarted"></a>Get Started
	</h5>
	<ul>
	<li>
	<a href="/start/download.html" title="Download Wicket">Download Wicket</a>
	</li>
	<li>
	<a href="/start/quickstart.html" title="Getting started via a Maven Archetype">Quickstart</a>
	</li>
	<li>
	<a href="http://www.jweekend.com/dev/LegUp" rel="nofollow">More archetypes</a>
	</li>
	<li>
	<a href="/help" title="Get help">Get help</a>
	</li>
	<li>
	<a href="/help/email.html" title="Wicket Mailing Lists">Mailing Lists</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-Documentation" id="Navigation-Documentation"></a>Learn
	</h5>
	<ul>
	<li>
	<a href="/start/userguide.html" title="User Guide">User Guide</a>
	</li>
	<li>
	<a href="/learn/examples" title="Examples">Examples</a>
	</li>
	<li>
	<a href="http://www.wicket-library.com/wicket-examples/compref/">Components</a>
	</li>
	<li>
	<a href="/learn/projects/" title="Projects extending basic Wicket">Projects</a>
	</li>
	<li>
	<a href="https://cwiki.apache.org/confluence/display/WICKET">Wiki</a>
	</li>
	<li>
	<a href="https://cwiki.apache.org/confluence/display/WICKET/Reference+library">Reference guide</a>
	</li>
	<li>
	<a href="/learn/books" title="Books">Books</a>
	</li>
	<li>
	<a href="/learn/ides.html" title="IDEs">IDEs</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-Releases" id="Navigation-Releases"></a>Releases
	</h5>
	<ul>
	<li>
	<a href="http://www.apache.org/dyn/closer.cgi/wicket/6.20.0">Wicket 6.20</a>
	</li>
	<li>
	<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.5.13">Wicket 1.5</a>
	</li>
	<li>
	<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.4.23">Wicket 1.4</a>
	</li>
	<li>
	<a href="http://www.apache.org/dyn/closer.cgi/wicket/1.3.7">Wicket 1.3</a>
	</li>
	<li>
	<a href="http://wicket.sf.net/wicket-1.2" class="external-link" rel="nofollow">Wicket 1.2</a>
	</li>
	<li>
	<a href="http://wicket.sf.net/wicket-1.1" class="external-link" rel="nofollow">Wicket 1.1</a>
	</li>
	<li>
	<a href="http://wicket.sf.net/wicket-1.0" class="external-link" rel="nofollow">Wicket 1.0</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-Docs" id="Navigation-Docs"></a>API Docs
	</h5>
	<ul>
	<li>
	<a href="http://ci.apache.org/projects/wicket/apidocs/6.x/" title="JavaDocs of Apache Wicket 6.x">Wicket 6.x</a>
	</li>
	<li>
	<a href="http://ci.apache.org/projects/wicket/apidocs/1.5.x/" title="JavaDocs of Apache Wicket 1.5.x">Wicket 1.5</a>
	</li>
	<li>
	<a href="http://ci.apache.org/projects/wicket/apidocs/1.4.x" title="JavaDocs of Apache Wicket 1.4.x">Wicket 1.4</a>
	</li>
	<li>
	<a href="http://ci.apache.org/projects/wicket/apidocs/1.3.x" title="JavaDocs of Apache Wicket 1.3.x">Wicket 1.3</a>
	</li>
	</ul>
	<h5>Wicket 7.x</h5>
	<ul>
	<li>
	<a href="http://www.apache.org/dyn/closer.cgi/wicket/7.0.0-M6">Download M6</a>
	</li>
	<li>
	<a href="https://cwiki.apache.org/confluence/display/WICKET/Migration+to+Wicket+7.0">Migration guide</a>
	</li>
	<li>
	<a href="http://ci.apache.org/projects/wicket/apidocs/7.x/" title="JavaDocs of Apache Wicket 7.x">API Docs 7.x</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-Developers" id="Navigation-Developers"></a>Contribute
	</h5>
	<ul>
	<li>
	<a href="/contribute/write.html" title="Writing documentation">Writing docs</a>
	</li>
	<li>
	<a href="/contribute/build.html" title="Building from SVN">Build Wicket</a>
	</li>
	<li>
	<a href="/contribute/patch.html" title="Provide a patch">Provide a patch</a>
	</li>
	<li>
	<a href="/contribute/release.html" title="Release Wicket">Release Wicket</a>
	</li>
	<li>
	<a href="https://fisheye6.atlassian.com/browse/wicket-git" title="Git Overview" class="external-link" rel="nofollow">Fisheye</a>
	</li>
	</ul>
	<h5>
	<a name="Navigation-Apache" id="Navigation-Apache"></a>Apache
	</h5>
	<ul>
	<li>
	<a href="http://www.apache.org/" class="external-link" rel="nofollow">Apache</a>
	</li>
	<li>
	<a href="http://www.apache.org/licenses/" class="external-link" rel="nofollow">License</a>
	</li>
	<li>
	<a href="http://www.apache.org/foundation/sponsorship.html" class="external-link" rel="nofollow">Sponsorship</a>
	</li>
	<li>
	<a href="http://apache.org/foundation/thanks.html" class="external-link" rel="nofollow">Thanks</a>
	</li>
	<li>
	<a href="/apache/friends.html" title="Apache projects using Wicket">Friends</a>
	</li>
	</ul>
	</div>

	<div id="contentbody">
	<h1>CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability</h1>
	<p>Severity: Important</p>

	<p>Vendor:
	The Apache Software Foundation</p>

	<p>Versions Affected:
	Apache Wicket 1.4.x and 1.5.x</p>

	<p>Description:
	It is possible to view the content of any file of a web application by
	using an Url to a Wicket resource which resolves to a ‘null’ package.
	With such a Url the attacker can request the content of any file by specifying
	its relative path, i.e. the attacker must know the file name to be able to
	request it.</p>

	<p>Mitigation:
	Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides
	a whitelist of allowed resources.
	Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default
	org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured
	list of allowed file extensions.
	Either setup SecurePackageResourceGuard with code like:</p>

	<div class="highlight"><pre><code class="language-java" data-lang="java"><span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyApp</span> <span class="kd">extends</span> <span class="n">WebApplication</span> <span class="o">{</span>
	<span class="kd">public</span> <span class="kt">void</span> <span class="nf">init</span><span class="o">()</span> <span class="o">{</span>
	<span class="kd">super</span><span class="o">.</span><span class="na">init</span><span class="o">();</span>
	<span class="n">SecurePackageResourceGuard</span> <span class="n">guard</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">SecurePackageResourceGuard</span><span class="o">();</span>
	<span class="n">guard</span><span class="o">.</span><span class="na">addPattern</span><span class="o">(...);</span>
	<span class="n">guard</span><span class="o">.</span><span class="na">addPattern</span><span class="o">(...);</span>
	<span class="n">getResourceSettings</span><span class="o">().</span><span class="na">setPackageResourceGuard</span><span class="o">(</span><span class="n">guard</span><span class="o">);</span>
	<span class="o">}</span>
	<span class="o">}</span></code></pre></div>

	<p>or upgrade <a href="http://wicket.apache.org/2012/03/12/wicket-1.4.20-released.html">Apache Wicket 1.4.20</a> or
	<a href="http://wicket.apache.org/2012/03/12/wicket-1.5.5-released.html">Apache Wicket 1.5.5</a></p>

	<p>Credit:
	This issue was discovered by Sebastian van Erk.</p>

	</div>
	<div id="clearer"></div>
	<div id="footer"><span>
	Copyright © 2015 — The Apache Software Foundation. Apache Wicket,
	Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo
	are trademarks of The Apache Software Foundation. All other marks mentioned
	may be trademarks or registered trademarks of their respective owners.
	</span></div>

	</div>
	</div>
	</body>
	</html>