Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
1.3.5, 1.4-RC1
-
None
-
None
Description
Hi All,
I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).
For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.
In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).
Of course there may be lots of other sensitive files in WEB-INF.
I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. 
I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...
Regards,
Sebastiaan