SharedResourceRequestTarget allows access to almost arbitrary files under
WEB-INF.
----------------------------------------------------------------------------------
Key: WICKET-1992
URL: https://issues.apache.org/jira/browse/WICKET-1992
Project: Wicket
Issue Type: Bug
Affects Versions: 1.4-RC1
Reporter: Sebastiaan van Erk
Priority: Critical
Hi All,
I've just run into what I consider a bit of a security issue with the
SharedResourceRequestTarget. It allows me to load files from the /WEB-INF
directory (though I have to guess the file names).
For example, if I see there is some bookmarkable page in the app with the name
com.myapp.pages.MyBookMarkablePage, I can request the following URL:
http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
Replace log4j.xml with applicationContext.xml, or any other guesses for useful
files.
In both these files it is more than possible that there is sensitive
information such as database urls and passwords or mail server usernames and
passwords (though if you use a property configurator in Spring you might be
lucky since the password is then contained in a .properties file, which is
blocked by Wicket).
Of course there may be lots of other sensitive files in WEB-INF.
I know about the IPackageResourceGuard interface, however, only since today,
after looking into this problem. :-) I could build my own implementation with a
default deny policy and open up package resources on a need to have basis.
However, I REALLY think that Wicket should be secure by default, and a better
solution to this problem should be found...
Regards,
Sebastiaan
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
