Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-5927

Velocity remote code execution

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • None
    • 7.0.0, 1.5.14, 6.21.0
    • site
    • None

    Description

      Hello,

      arbitrary shellcode can be possibly executed, using e.g java.lang.Runtime.exec(String command) on wicket site:

      http://www.wicket-library.com/wicket-examples/velocity/wicket/bookmarkable/org.apache.wicket.examples.velocity.TemplatePage?3

      The server should use a secure config in org/apache/velocity/runtime/defaults/velocity.properties:

      runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector

      regards

      Sergej Michel

      Attachments

        1. signature.asc
          0.5 kB
          sergej m

        Activity

          People

            mgrigorov Martin Tzvetanov Grigorov
            s.michel sergej m
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: