Google Git
Sign in
apache / wicket-site / d8f154692d43ab5773a7ef9dd9827028cceac418 / . / content / news / 2011 / 08 / 23 / cve-2011-2712.html
blob: 939aae1fba2a34f57d2dacf7272f63b488b243a0 [file] [log] [blame]
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>CVE-2011-2712 - Apache Wicket XSS vulnerability | Apache Wicket</title>
<meta charset="utf8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
<link rel="stylesheet" href="/css/style.css" type="text/css" media="screen" />
<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet" />
<script src="//code.jquery.com/jquery-1.11.3.min.js"></script>
</head>
<body class="">
<div class="header default">
<div class="l-container">
<nav class="mainmenu">
<ul>
<!-- /start/quickstart.html || /news/2011/08/23/cve-2011-2712.html -->
<li class=""><a href="/start/quickstart.html">Quick Start</a></li>
<!-- /start/download.html || /news/2011/08/23/cve-2011-2712.html -->
<li class=""><a href="/start/download.html">Download</a></li>
<!-- /learn || /news/2011/08/23/cve-2011-2712.html -->
<li class=""><a href="/learn">Documentation</a></li>
<!-- /help || /news/2011/08/23/cve-2011-2712.html -->
<li class=""><a href="/help">Support</a></li>
<!-- /contribute || /news/2011/08/23/cve-2011-2712.html -->
<li class=""><a href="/contribute">Contribute</a></li>
<!-- /apache || /news/2011/08/23/cve-2011-2712.html -->
<li class=""><a href="/apache">Apache</a></li>
</ul>
</nav>
<div class="logo">
<a href="/"><img src="/img/logo-apachewicket-white.svg" alt="Apache Wicket"></a>
</div>
</div>
</div>
<main>
<div class="l-container">
<header class="l-full preamble">
<h1>CVE-2011-2712 - Apache Wicket XSS vulnerability</h1>
</header>
<section class="l-one-third right">
</section>
<section class="l-two-third left">
<div class="l-full">
<p class="meta">23 Aug 2011</p>
<p>Severity: Important</p>
<p>Vendor:
The Apache Software Foundation</p>
<p>Versions Affected:
Apache Wicket 1.4.x</p>
<p>Apache Wicket 1.3.x and 1.5-RCx are not affected</p>
<p>Description:
With multi window support application configuration and special query parameters it is possible to execute any kind of JavaScript on a site running with the affected versions.</p>
<p>Mitigation:
Either disable multi window support with</p>
<div class="highlight"><pre><code class="language-java" data-lang="java"><span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyApp</span> <span class="kd">extends</span> <span class="n">WebApplication</span> <span class="o">{</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">init</span><span class="o">()</span> <span class="o">{</span>
<span class="kd">super</span><span class="o">.</span><span class="na">init</span><span class="o">();</span>
<span class="n">getPageSettings</span><span class="o">.</span><span class="na">setAutomaticMultiWindowSupport</span><span class="o">(</span><span class="kc">false</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span></code></pre></div>
<p>or upgrade to <a href="http://wicket.apache.org/2011/08/09/wicket-1.4.18-released.html">Apache Wicket 1.4.18</a> or
<a href="http://wicket.apache.org/2011/06/25/wicket-1.5-RC5.1-released.html">Apache Wicket 1.5-RC5.1</a></p>
<p>Credit:
This issue was discovered by Sven Krewitt of TÜV Rheinland i-sec GmbH.</p>
</div>
</section>
</div>
</main>
<footer class="l-container">
<div class="l-full">
<img height="60px" src="/img/asf_logo.gif" style="float:left">
Copyright © 2014 — The Apache Software Foundation. Apache Wicket,
Wicket, Apache, the Apache feather logo, and the Apache Wicket
project logo are trademarks of The Apache Software Foundation. All
other marks mentioned may be trademarks or registered trademarks of
their respective owners.
</div>
</footer>
</body>
</html>