[jira] Created: (WICKET-3106) Security: Possible Redirection to foreign Page by using BrowserInfoPage's PageParameter

Thomas Aulinger (JIRA) Thu, 14 Oct 2010 02:36:04 -0700

Security: Possible Redirection to foreign Page by using BrowserInfoPage's 
PageParameter 
----------------------------------------------------------------------------------------


                 Key: WICKET-3106
                 URL: https://issues.apache.org/jira/browse/WICKET-3106
             Project: Wicket
          Issue Type: Bug
          Components: wicket
    Affects Versions: 1.4.12
            Reporter: Thomas Aulinger
            Priority: Critical


By link manipulation as a BookmarkableLink it is possible to redirect a User to 
 foreign pages (probably without users notice).


Example:

http://wicketstuff.org/wicket14/compref/?wicket:bookmarkablePage=:org.apache.wicket.markup.html.pages.BrowserInfoPage&cto=http://www.google.de

Reason:
"Fallback"- Constructor in org.apache.wicket.markup.html.pages.BrowserInfoPage  
accepts every "cto" -PageParameter unevaluated regarding protocoll prefex.




-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Created: (WICKET-3106) Security: Possible Redirection to foreign Page by using BrowserInfoPage's PageParameter

Reply via email to