| <!DOCTYPE html> |
| <html> |
| <head> |
| <meta charset="utf-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> |
| <title>CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability | Apache Wicket</title> |
| <meta charset="utf8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> |
| <meta name="viewport" content="width=device-width, initial-scale=1" /> |
| |
| <link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" /> |
| <link rel="stylesheet" href="/css/style.css" type="text/css" media="screen" /> |
| <link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet" /> |
| |
| <script src="//code.jquery.com/jquery-1.11.3.min.js"></script> |
| |
| </head> |
| |
| <body class=""> |
| <div class="header default"> |
| <div class="l-container"> |
| <nav class="mainmenu"> |
| <ul> |
| <!-- /start/quickstart.html || /news/2012/03/22/wicket-cve-2012-1089.html --> |
| <li class=""><a href="/start/quickstart.html">Quick Start</a></li> |
| <!-- /start/download.html || /news/2012/03/22/wicket-cve-2012-1089.html --> |
| <li class=""><a href="/start/download.html">Download</a></li> |
| <!-- /learn || /news/2012/03/22/wicket-cve-2012-1089.html --> |
| <li class=""><a href="/learn">Documentation</a></li> |
| <!-- /help || /news/2012/03/22/wicket-cve-2012-1089.html --> |
| <li class=""><a href="/help">Support</a></li> |
| <!-- /contribute || /news/2012/03/22/wicket-cve-2012-1089.html --> |
| <li class=""><a href="/contribute">Contribute</a></li> |
| <!-- /apache || /news/2012/03/22/wicket-cve-2012-1089.html --> |
| <li class=""><a href="/apache">Apache</a></li> |
| </ul> |
| </nav> |
| <div class="logo"> |
| <a href="/"><img src="/img/logo-apachewicket-white.svg" alt="Apache Wicket"></a> |
| </div> |
| </div> |
| </div> |
| <main> |
| <div class="l-container"> |
| <header class="l-full preamble"> |
| <h1>CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability</h1> |
| </header> |
| <section class="l-one-third right"> |
| </section> |
| <section class="l-two-third left"> |
| <div class="l-full"> |
| <p class="meta">22 Mar 2012</p> |
| <p>Severity: Important</p> |
| <p>Vendor: |
| The Apache Software Foundation</p> |
| <p>Versions Affected: |
| Apache Wicket 1.4.x and 1.5.x</p> |
| <p>Description: |
| It is possible to view the content of any file of a web application by |
| using an Url to a Wicket resource which resolves to a ‘null’ package. |
| With such a Url the attacker can request the content of any file by specifying |
| its relative path, i.e. the attacker must know the file name to be able to |
| request it.</p> |
| <p>Mitigation: |
| Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides |
| a whitelist of allowed resources. |
| Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default |
| org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured |
| list of allowed file extensions. |
| Either setup SecurePackageResourceGuard with code like:</p> |
| <div class="highlight"><pre><code class="language-java" data-lang="java"><span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyApp</span> <span class="kd">extends</span> <span class="n">WebApplication</span> <span class="o">{</span> |
| <span class="kd">public</span> <span class="kt">void</span> <span class="nf">init</span><span class="o">()</span> <span class="o">{</span> |
| <span class="kd">super</span><span class="o">.</span><span class="na">init</span><span class="o">();</span> |
| <span class="n">SecurePackageResourceGuard</span> <span class="n">guard</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">SecurePackageResourceGuard</span><span class="o">();</span> |
| <span class="n">guard</span><span class="o">.</span><span class="na">addPattern</span><span class="o">(...);</span> |
| <span class="n">guard</span><span class="o">.</span><span class="na">addPattern</span><span class="o">(...);</span> |
| <span class="n">getResourceSettings</span><span class="o">().</span><span class="na">setPackageResourceGuard</span><span class="o">(</span><span class="n">guard</span><span class="o">);</span> |
| <span class="o">}</span> |
| <span class="o">}</span></code></pre></div> |
| <p>or upgrade <a href="http://wicket.apache.org/2012/03/12/wicket-1.4.20-released.html">Apache Wicket 1.4.20</a> or |
| <a href="http://wicket.apache.org/2012/03/12/wicket-1.5.5-released.html">Apache Wicket 1.5.5</a></p> |
| <p>Credit: |
| This issue was discovered by Sebastian van Erk.</p> |
| </div> |
| </section> |
| </div> |
| </main> |
| <footer class="l-container"> |
| <div class="l-full"> |
| <img height="60px" src="/img/asf_logo.gif" style="float:left"> |
| Copyright © 2014 — The Apache Software Foundation. Apache Wicket, |
| Wicket, Apache, the Apache feather logo, and the Apache Wicket |
| project logo are trademarks of The Apache Software Foundation. All |
| other marks mentioned may be trademarks or registered trademarks of |
| their respective owners. |
| </div> |
| </footer> |
| </body> |
| |
| </html> |