Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-1992

SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.3.5, 1.4-RC1
    • Fix Version/s: 1.3.7
    • Component/s: None
    • Labels:
      None

      Description

      Hi All,

      I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).

      For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:

      http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml

      Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.

      In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).

      Of course there may be lots of other sensitive files in WEB-INF.

      I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...

      Regards,
      Sebastiaan

        Attachments

        1. wicket1992-1.3.6-jdk1.4.diff
          27 kB
          Martin Dietze

          Activity

            People

            • Assignee:
              jdonnerstag Juegen Donnerstag
              Reporter:
              sebster Sebastiaan van Erk
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: