| <!DOCTYPE html> |
| <html> |
| <head> |
| <meta charset="utf-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> |
| <title>CVE-2011-2712 - Apache Wicket XSS vulnerability | Apache Wicket</title> |
| <meta charset="utf8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> |
| <meta name="viewport" content="width=device-width, initial-scale=1" /> |
| |
| <link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" /> |
| <link rel="stylesheet" href="/css/style.css" type="text/css" media="screen" /> |
| <link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet" /> |
| |
| <script src="//code.jquery.com/jquery-1.11.3.min.js"></script> |
| |
| </head> |
| |
| <body class=""> |
| <div class="header default"> |
| <div class="l-container"> |
| <nav class="mainmenu"> |
| <ul> |
| <!-- /start/quickstart.html || /news/2011/08/23/cve-2011-2712.html --> |
| <li class=""><a href="/start/quickstart.html">Quick Start</a></li> |
| <!-- /start/download.html || /news/2011/08/23/cve-2011-2712.html --> |
| <li class=""><a href="/start/download.html">Download</a></li> |
| <!-- /learn || /news/2011/08/23/cve-2011-2712.html --> |
| <li class=""><a href="/learn">Documentation</a></li> |
| <!-- /help || /news/2011/08/23/cve-2011-2712.html --> |
| <li class=""><a href="/help">Support</a></li> |
| <!-- /contribute || /news/2011/08/23/cve-2011-2712.html --> |
| <li class=""><a href="/contribute">Contribute</a></li> |
| <!-- /apache || /news/2011/08/23/cve-2011-2712.html --> |
| <li class=""><a href="/apache">Apache</a></li> |
| </ul> |
| </nav> |
| <div class="logo"> |
| <a href="/"><img src="/img/logo-apachewicket-white.svg" alt="Apache Wicket"></a> |
| </div> |
| </div> |
| </div> |
| <main> |
| <div class="l-container"> |
| <header class="l-full preamble"> |
| <h1>CVE-2011-2712 - Apache Wicket XSS vulnerability</h1> |
| </header> |
| <section class="l-one-third right"> |
| </section> |
| <section class="l-two-third left"> |
| <div class="l-full"> |
| <p class="meta">23 Aug 2011</p> |
| <p>Severity: Important</p> |
| <p>Vendor: |
| The Apache Software Foundation</p> |
| <p>Versions Affected: |
| Apache Wicket 1.4.x</p> |
| <p>Apache Wicket 1.3.x and 1.5-RCx are not affected</p> |
| <p>Description: |
| With multi window support application configuration and special query parameters it is possible to execute any kind of JavaScript on a site running with the affected versions.</p> |
| <p>Mitigation: |
| Either disable multi window support with</p> |
| <div class="highlight"><pre><code class="language-java" data-lang="java"><span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyApp</span> <span class="kd">extends</span> <span class="n">WebApplication</span> <span class="o">{</span> |
| <span class="kd">public</span> <span class="kt">void</span> <span class="nf">init</span><span class="o">()</span> <span class="o">{</span> |
| <span class="kd">super</span><span class="o">.</span><span class="na">init</span><span class="o">();</span> |
| <span class="n">getPageSettings</span><span class="o">.</span><span class="na">setAutomaticMultiWindowSupport</span><span class="o">(</span><span class="kc">false</span><span class="o">);</span> |
| <span class="o">}</span> |
| <span class="o">}</span></code></pre></div> |
| <p>or upgrade to <a href="http://wicket.apache.org/2011/08/09/wicket-1.4.18-released.html">Apache Wicket 1.4.18</a> or |
| <a href="http://wicket.apache.org/2011/06/25/wicket-1.5-RC5.1-released.html">Apache Wicket 1.5-RC5.1</a></p> |
| <p>Credit: |
| This issue was discovered by Sven Krewitt of TÜV Rheinland i-sec GmbH.</p> |
| </div> |
| </section> |
| </div> |
| </main> |
| <footer class="l-container"> |
| <div class="l-full"> |
| <img height="60px" src="/img/asf_logo.gif" style="float:left"> |
| Copyright © 2014 — The Apache Software Foundation. Apache Wicket, |
| Wicket, Apache, the Apache feather logo, and the Apache Wicket |
| project logo are trademarks of The Apache Software Foundation. All |
| other marks mentioned may be trademarks or registered trademarks of |
| their respective owners. |
| </div> |
| </footer> |
| </body> |
| |
| </html> |