[CVE-2012-1089] Apache Wicket serving of hidden files vulnerability

2012-04-09T00:00:00
ID SECURITYVULNS:DOC:27910
Type securityvulns
Reporter Securityvulns
Modified 2012-04-09T00:00:00

Description

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 1.4.x and 1.5.x

Description: It is possible to view the content of any file of a web application by using an Url to a Wicket resource which resolves to a 'null' package. With such a Url the attacker can request the content of any file by specifying its relative path, i.e. the attacker must know the file name to be able to request it.

Mitigation: Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides a whitelist of allowed resources. Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured list of allowed file extensions. Either setup SecurePackageResourceGuard with code like:

MyApp#init() { ... SecurePackageResourceGuard guard = new SecurePackageResourceGuard(); guard.addPattern(...); guard.addPattern(...); ... getResourceSettings().setPackageResourceGuard(guard); }

or upgrade to Apache Wicket 1.4.20 or 1.5.5.

Credit: This issue was discovered by Sebastian van Erk.

Apache Wicket Team