content/news/2014/02/06/cve-2013-2055.html - wicket-site - Git at Google

 <!DOCTYPE html>
 <html>
     <head>
         <meta charset="utf-8">
         <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
         <title>CVE-2013-2055 - Apache Wicket Information disclosure vulnerability | Apache Wicket</title>
         <meta charset="utf8">
         <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
         <meta name="viewport" content="width=device-width, initial-scale=1" />

         <link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
         <link rel="stylesheet" href="/css/style.css" type="text/css" media="screen" />
         <link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet" />

 		<script src="//code.jquery.com/jquery-1.11.3.min.js"></script>

     </head>

     <body class="">
         <div class="header default">
     <div class="l-container">
 <nav class="mainmenu">
     <ul>
 		<!-- /start/quickstart.html || /news/2014/02/06/cve-2013-2055.html -->
     	<li class=""><a href="/start/quickstart.html">Quick Start</a></li>
 		<!-- /start/download.html || /news/2014/02/06/cve-2013-2055.html -->
     	<li class=""><a href="/start/download.html">Download</a></li>
 		<!-- /learn || /news/2014/02/06/cve-2013-2055.html -->
     	<li class=""><a href="/learn">Documentation</a></li>
 		<!-- /help || /news/2014/02/06/cve-2013-2055.html -->
     	<li class=""><a href="/help">Support</a></li>
 		<!-- /contribute || /news/2014/02/06/cve-2013-2055.html -->
     	<li class=""><a href="/contribute">Contribute</a></li>
 		<!-- /apache || /news/2014/02/06/cve-2013-2055.html -->
     	<li class=""><a href="/apache">Apache</a></li>
     </ul>
 </nav>
         <div class="logo">
     <a href="/"><img src="/img/logo-apachewicket-white.svg" alt="Apache Wicket"></a>
 </div>
     </div>
 </div>
 <main>
     <div class="l-container">
         <header class="l-full preamble">
             <h1>CVE-2013-2055 - Apache Wicket Information disclosure vulnerability</h1>
         </header>
         <section class="l-one-third right">
         </section>
         <section class="l-two-third left">
             <div class="l-full">
     <p class="meta">06 Feb 2014</p>
     <p>Severity: Important</p>
 <p>Vendor:
 The Apache Software Foundation</p>
 <p>Versions Affected:
 Apache Wicket 1.4.22, 1.5.10 and 6.7.0</p>
 <p>Description:
 It is possible to make Wicket deliver the HTML templates in their raw/non-processed form.
 An attacker could see any sensitive information in the part of the HTML template that is usually ignored during rendering.
 For example if there is sensitive information before or after the Wicket Panel/Border’s markup:</p>
 <div class="highlight"><pre><code class="language-xml" data-lang="xml">something sensitive here 1
 <span class="nt">&lt;wicket:panel&gt;</span>
    real application code
 <span class="nt">&lt;/wicket:panel&gt;</span>
 something sensitive here 2</code></pre></div>
 <p>Usually Wicket will render only the “real application code” part but by exploiting this vulnerability an attacker can see also the code with the sensitive information.</p>
 <p>The application developers are recommended to upgrade to:
 - <a href="/2014/02/06/wicket-1.4.23-released.html">Apache Wicket 1.4.23</a>
 - <a href="/2014/02/06/wicket-1.5.11-released.html">Apache Wicket 1.5.11</a>
 - <a href="/2013/05/17/wicket-6.8.0-released.html">Apache Wicket 6.8.0</a></p>
 <p>and/or to remove any sensitive information in the HTML templates.</p>
 <p>Apache Wicket Team</p>
 </div>
         </section>
     </div>
 </main>
         <footer class="l-container">
             <div class="l-full">
     <img height="60px" src="/img/asf_logo.gif" style="float:left">
     Copyright © 2014 — The Apache Software Foundation. Apache Wicket,
     Wicket, Apache, the Apache feather logo, and the Apache Wicket
     project logo are trademarks of The Apache Software Foundation. All
     other marks mentioned may be trademarks or registered trademarks of
     their respective owners.
 </div>
         </footer>
     </body>

 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<meta charset="utf-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
	<title>CVE-2013-2055 - Apache Wicket Information disclosure vulnerability \| Apache Wicket</title>
	<meta charset="utf8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
	<meta name="viewport" content="width=device-width, initial-scale=1" />

	<link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
	<link rel="stylesheet" href="/css/style.css" type="text/css" media="screen" />
	<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet" />

	<script src="//code.jquery.com/jquery-1.11.3.min.js"></script>

	</head>

	<body class="">
	<div class="header default">
	<div class="l-container">
	<nav class="mainmenu">
	<ul>
	<!-- /start/quickstart.html \|\| /news/2014/02/06/cve-2013-2055.html -->
	<li class=""><a href="/start/quickstart.html">Quick Start</a></li>
	<!-- /start/download.html \|\| /news/2014/02/06/cve-2013-2055.html -->
	<li class=""><a href="/start/download.html">Download</a></li>
	<!-- /learn \|\| /news/2014/02/06/cve-2013-2055.html -->
	<li class=""><a href="/learn">Documentation</a></li>
	<!-- /help \|\| /news/2014/02/06/cve-2013-2055.html -->
	<li class=""><a href="/help">Support</a></li>
	<!-- /contribute \|\| /news/2014/02/06/cve-2013-2055.html -->
	<li class=""><a href="/contribute">Contribute</a></li>
	<!-- /apache \|\| /news/2014/02/06/cve-2013-2055.html -->
	<li class=""><a href="/apache">Apache</a></li>
	</ul>
	</nav>
	<div class="logo">
	<a href="/"><img src="/img/logo-apachewicket-white.svg" alt="Apache Wicket"></a>
	</div>
	</div>
	</div>
	<main>
	<div class="l-container">
	<header class="l-full preamble">
	<h1>CVE-2013-2055 - Apache Wicket Information disclosure vulnerability</h1>
	</header>
	<section class="l-one-third right">
	</section>
	<section class="l-two-third left">
	<div class="l-full">
	<p class="meta">06 Feb 2014</p>
	<p>Severity: Important</p>
	<p>Vendor:
	The Apache Software Foundation</p>
	<p>Versions Affected:
	Apache Wicket 1.4.22, 1.5.10 and 6.7.0</p>
	<p>Description:
	It is possible to make Wicket deliver the HTML templates in their raw/non-processed form.
	An attacker could see any sensitive information in the part of the HTML template that is usually ignored during rendering.
	For example if there is sensitive information before or after the Wicket Panel/Border’s markup:</p>
	<div class="highlight"><pre><code class="language-xml" data-lang="xml">something sensitive here 1
	<span class="nt"><wicket:panel></span>
	real application code
	<span class="nt"></wicket:panel></span>
	something sensitive here 2</code></pre></div>
	<p>Usually Wicket will render only the “real application code” part but by exploiting this vulnerability an attacker can see also the code with the sensitive information.</p>
	<p>The application developers are recommended to upgrade to:
	- <a href="/2014/02/06/wicket-1.4.23-released.html">Apache Wicket 1.4.23</a>
	- <a href="/2014/02/06/wicket-1.5.11-released.html">Apache Wicket 1.5.11</a>
	- <a href="/2013/05/17/wicket-6.8.0-released.html">Apache Wicket 6.8.0</a></p>
	<p>and/or to remove any sensitive information in the HTML templates.</p>
	<p>Apache Wicket Team</p>
	</div>
	</section>
	</div>
	</main>
	<footer class="l-container">
	<div class="l-full">
	<img height="60px" src="/img/asf_logo.gif" style="float:left">
	Copyright © 2014 — The Apache Software Foundation. Apache Wicket,
	Wicket, Apache, the Apache feather logo, and the Apache Wicket
	project logo are trademarks of The Apache Software Foundation. All
	other marks mentioned may be trademarks or registered trademarks of
	their respective owners.
	</div>
	</footer>
	</body>

	</html>