[jira] Commented: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

Sun, 24 May 2009 11:02:16 -0700 

    [ 
https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12712582#action_12712582
 ] 

Juergen Donnerstag commented on WICKET-1992:
--------------------------------------------

waiting to apply until current junit test failures are fixed

> SharedResourceRequestTarget allows access to almost arbitrary files under 
> WEB-INF.
> ----------------------------------------------------------------------------------
>
>                 Key: WICKET-1992
>                 URL: https://issues.apache.org/jira/browse/WICKET-1992
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.3.5, 1.4-RC1
>            Reporter: Sebastiaan van Erk
>            Assignee: Juergen Donnerstag
>            Priority: Critical
>             Fix For: 1.3.7, 1.4-RC2
>
>         Attachments: wicket1992-1.3.6-jdk1.4.diff
>
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the 
> SharedResourceRequestTarget. It allows me to load files from the /WEB-INF 
> directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the 
> name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for 
> useful files.
> In both these files it is more than possible that there is sensitive 
> information such as database urls and passwords or mail server usernames and 
> passwords (though if you use a property configurator in Spring you might be 
> lucky since the password is then contained in a .properties file, which is 
> blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today, 
> after looking into this problem. :-) I could build my own implementation with 
> a default deny policy and open up package resources on a need to have basis. 
> However, I REALLY think that Wicket should be secure by default, and a better 
> solution to this problem should be found...
> Regards,
> Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to