Apache Wicket Discloses Hidden Application Files to Remote Users - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Apache Wicket

Vendors: Apache Software Foundation

Apache Wicket Discloses Hidden Application Files to Remote Users

SecurityTracker Alert ID: 1026846

SecurityTracker URL: http://securitytracker.com/id/1026846

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Updated: Mar 23 2012

Original Entry Date: Mar 23 2012

Impact: Disclosure of user information

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 1.4.x, 1.5.x

Description: A vulnerability was reported in Apache Wicket. A remote user can view certain hidden files on the target system.

A remote user can load a specially crafted URL that specifies a relative path to a known file name to view the contents of arbitrary web application files.

Sebastian van Erk reported this vulnerability.

Impact: A remote user can view certain files on the target system.

Solution: The vendor has issued a fix (1.4.20, 1.5.5).

Vendor URL: wicket.apache.org/ (Links to External Site)

Cause: Access control error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: None.

Source Message Contents

Date: Thu, 22 Mar 2012 11:52:30 +0200
Subject: [CVE-2012-1089] Apache Wicket serving of hidden files vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Wicket 1.4.x and 1.5.x

Description:
It is possible to view the content of any file of a web application by
using an Url to a Wicket resource which resolves to a 'null' package.
With such a Url the attacker can request the content of any file by specifying
its relative path, i.e. the attacker must know the file name to be able to
request it.

Mitigation:
Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides
a whitelist of allowed resources.
Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default
org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured
list of allowed file extensions.
Either setup SecurePackageResourceGuard with code like:

MyApp#init() {
  ...
  SecurePackageResourceGuard guard = new SecurePackageResourceGuard();
  guard.addPattern(...);
  guard.addPattern(...);
  ...
  getResourceSettings().setPackageResourceGuard(guard);
}

or upgrade to Apache Wicket 1.4.20 or 1.5.5.

Credit:
This issue was discovered by Sebastian van Erk.

Apache Wicket Team

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC