[WICKET-3106] Security: Possible Redirection to foreign Page by using BrowserInfoPage's PageParameter - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.4.12
Fix Version/s: 1.4.13, 1.5-M3
Component/s: wicket
Labels:
None

Description

By link manipulation as a BookmarkableLink it is possible to redirect a User to foreign pages (probably without users notice).

Example:

http://wicketstuff.org/wicket14/compref/?wicket:bookmarkablePage=:org.apache.wicket.markup.html.pages.BrowserInfoPage&cto=http://www.google.de

Reason:
"Fallback"- Constructor in org.apache.wicket.markup.html.pages.BrowserInfoPage accepts every "cto" -PageParameter unevaluated regarding protocol prefex.

Attachments

Activity

People

Assignee:: Igor Vaynberg

Reporter:: Thomas Aulinger

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 14/Oct/10 09:34

Updated:: 14/Oct/10 19:25

Resolved:: 14/Oct/10 18:52

Time Tracking

Estimated:

Remaining:

Logged:

Not Specified