==================================================================== CERT-Renater Note d'Information No. 2012/VULN149 ____________________________________________________________________ DATE : 23/03/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Apache Wicket versions 1.4.x, 1.5.x prior to 1.4.20, 1.5.5. ====================================================================== http://mail-archives.apache.org/mod_mbox/wicket-announce/201203.mbox/%3cCAMomwMqkV4r4AXvzTt8bdofFtR6u+671Sx2j8zySRAx1wo1G0Q@mail.gmail.com%3e http://mail-archives.apache.org/mod_mbox/wicket-announce/201203.mbox/%3CCAMomwMrS+Wy_i0ciwCm=zw22QD2dPVCwxR3B3niM2X0e1KqYCQ@mail.gmail.com%3E ______________________________________________________________________ CVE-2012-0047 - Apache Wicket XSS vulnerability via pageMapName request parameter Vendor: The Apache Software Foundation Versions Affected: Apache Wicket 1.4.x Apache Wicket 1.3.x and 1.5.x are not affected Description: A Cross Site Scripting (XSS) attack is possible by manipulating the value of ‘wicket:pageMapName’ request parameter. Mitigation: Upgrade to Apache Wicket 1.4.20 or Apache Wicket 1.5.5 Credit: This issue was discovered by Jens Schenck and Stefan Schmidt. ______________________________________________________________________ Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Wicket 1.4.x and 1.5.x Description: It is possible to view the content of any file of a web application by using an Url to a Wicket resource which resolves to a 'null' package. With such a Url the attacker can request the content of any file by specifying its relative path, i.e. the attacker must know the file name to be able to request it. Mitigation: Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides a whitelist of allowed resources. Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured list of allowed file extensions. Either setup SecurePackageResourceGuard with code like: MyApp#init() { ... SecurePackageResourceGuard guard = new SecurePackageResourceGuard(); guard.addPattern(...); guard.addPattern(...); ... getResourceSettings().setPackageResourceGuard(guard); } or upgrade to Apache Wicket 1.4.20 or 1.5.5. Credit: This issue was discovered by Sebastian van Erk. Apache Wicket Team ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================