Author: mgrigorov
Date: Tue Aug 23 18:26:22 2011
New Revision: 1160834
URL: http://svn.apache.org/viewvc?rev=1160834&view=rev
Log:
[CVE-2011-2712] Apache Wicket XSS vulnerability
Added:
wicket/common/site/trunk/_posts/2011-08-23-cve-2011-2712.md
wicket/common/site/trunk/_site/2011/08/23/
wicket/common/site/trunk/_site/2011/08/23/cve-2011-2712.html
Modified:
wicket/common/site/trunk/_site/atom.xml
wicket/common/site/trunk/_site/index.html
Added: wicket/common/site/trunk/_posts/2011-08-23-cve-2011-2712.md
URL:
http://svn.apache.org/viewvc/wicket/common/site/trunk/_posts/2011-08-23-cve-2011-2712.md?rev=1160834&view=auto
==============================================================================
--- wicket/common/site/trunk/_posts/2011-08-23-cve-2011-2712.md (added)
+++ wicket/common/site/trunk/_posts/2011-08-23-cve-2011-2712.md Tue Aug 23
18:26:22 2011
@@ -0,0 +1,36 @@
+---
+layout: post
+title: CVE-2011-2712 - Apache Wicket XSS vulnerability
+---
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache Wicket 1.4.x
+
+Apache Wicket 1.3.x and 1.5-RCx are not affected
+
+Description:
+With multi window support application configuration and special query
parameters it
+is possible to execute any kind of JavaScript on a site running with the
+affected versions.
+
+Mitigation:
+Either disable multi window support with
+
+MyApp.java
+{% highlight xml %}
+public void init() {
+ super.init();
+ getPageSettings.setAutomaticMultiWindowSupport(false);
+}
+{% endhighlight %}
+
+or upgrade to [Apache Wicket
1.4.18](http://wicket.apache.org/2011/08/09/wicket-1.4.18-released.html) or
+[Apache Wicket
1.5-RC5.1](http://wicket.apache.org/2011/06/25/wicket-1.5-RC5.1-released.html)
+
+Credit:
+This issue was discovered by Sven Krewitt of TÃV Rheinland i-sec GmbH.
Added: wicket/common/site/trunk/_site/2011/08/23/cve-2011-2712.html
URL:
http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/2011/08/23/cve-2011-2712.html?rev=1160834&view=auto
==============================================================================
--- wicket/common/site/trunk/_site/2011/08/23/cve-2011-2712.html (added)
+++ wicket/common/site/trunk/_site/2011/08/23/cve-2011-2712.html Tue Aug 23
18:26:22 2011
@@ -0,0 +1,179 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>Apache Wicket - CVE-2011-2712 - Apache Wicket XSS
vulnerability</title>
+
+ <link rel="stylesheet" href="/css/screen.css" type="text/css"
media="screen" />
+
+ <!--[if lt ie 7]>
+ <link rel="stylesheet" href="/css/ie.css" type="text/css"
media="screen" />
+ <![endif]-->
+ <link rel="shortcut icon" href="/favicon.ico"
type="image/vnd.microsoft.icon" />
+ <link rel="alternate" type="application/atom+xml" href="/atom.xml" />
+ <meta http-equiv="content-type" content="text/html;charset=utf-8" />
+</head>
+<body>
+<div id="container">
+ <div id="content">
+ <div id="header"><a href="/"><h1 id="logo"><span>Apache
Wicket</span></h1></a></div>
+ <div id="navigation">
+ <h5><a name="Navigation-Wicket"></a>Meet Wicket</h5>
+ <ul>
+ <li>
+ <a href="/" title="Index">Home</a>
+ </li>
+ <li>
+ <a href="/meet/introduction.html"
title="Introduction">Introduction</a>
+ </li>
+ <li>
+ <a href="/meet/features.html"
title="Features">Features</a>
+ </li>
+ <li>
+ <a href="/meet/buzz.html" title="Buzz">Buzz</a>
+ </li>
+ <li>
+ <a href="/meet/vision.html" title="Vision">Vision</a>
+ </li>
+ <li>
+ <a href="/meet/blogs.html" title="Blogs">Blogs</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-GettingStarted"
id="Navigation-GettingStarted"></a>Get Started
+ </h5>
+ <ul>
+ <li>
+ <a href="/start/download.html" title="Download
Wicket">Download Wicket</a>
+ </li>
+ <li>
+ <a href="/start/quickstart.html" title="Getting started
via a Maven Archetype">Quickstart</a>
+ </li>
+ <li>
+ <a href="http://www.jweekend.com/dev/LegUp";
rel="nofollow">More archetypes</a>
+ </li>
+ <li>
+ <a href="/help" title="Get help">Get help</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Documentation"
id="Navigation-Documentation"></a>Learn
+ </h5>
+ <ul>
+ <li>
+ <a href="/learn/examples" title="Examples">Examples</a>
+ </li>
+ <li>
+ <a
href="http://wicketstuff.org/wicket14/compref/";>Components</a>
+ </li>
+ <li>
+ <a href="/learn/projects/" title="Projects extending
basic Wicket">Projects</a>
+ </li>
+ <li>
+ <a href="http://cwiki.apache.org/WICKET";>Wiki</a>
+ </li>
+ <li>
+ <a
href="http://cwiki.apache.org/WICKET/reference-library.html";>Reference guide</a>
+ </li>
+ <li>
+ <a href="/learn/books" title="Books">Books</a>
+ </li>
+ <li>
+ <a href="/learn/ides.html" title="IDEs">IDE plugins</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Releases"
id="Navigation-Releases"></a>Releases
+ </h5>
+ <ul>
+ <li>
+ <a
href="http://www.apache.org/dyn/closer.cgi/wicket/1.4.18";>Wicket 1.4</a>
+ (<a href="http://wicket.apache.org/apidocs/1.4";
title="JavaDocs of the latest stable release - 1.4.x">docs</a>)
+ </li>
+ <li>
+ <a
href="http://www.apache.org/dyn/closer.cgi/wicket/1.3.7";>Wicket 1.3</a>
+ (<a href="http://wicket.apache.org/apidocs/1.3";
title="JavaDocs of Apache Wicket 1.3.x">docs</a>)
+ </li>
+ <li>
+ <a href="http://wicket.sf.net/wicket-1.2";
class="external-link" rel="nofollow">Wicket 1.2</a>
+ </li>
+ <li>
+ <a href="http://wicket.sf.net/wicket-1.1";
class="external-link" rel="nofollow">Wicket 1.1</a>
+ </li>
+ <li>
+ <a href="http://wicket.sf.net/wicket-1.0";
class="external-link" rel="nofollow">Wicket 1.0</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Developers"
id="Navigation-Developers"></a>Contribute
+ </h5>
+ <ul>
+ <li>
+ <a href="/contribute/write.html" title="Writing
documentation">Writing docs</a>
+ </li>
+ <li>
+ <a href="/contribute/build.html" title="Building from
SVN">Build Wicket</a>
+ </li>
+ <li>
+ <a href="/contribute/patch.html" title="Provide a
patch">Provide a patch</a>
+ </li>
+ <li>
+ <a href="/contribute/release.html" title="Release
Wicket">Release Wicket</a>
+ </li>
+ <li>
+ <a href="http://fisheye6.atlassian.com/browse/wicket";
title="SVN Overview" class="external-link" rel="nofollow">Fisheye</a>
+ </li>
+ </ul>
+ <h5>
+ <a name="Navigation-Apache" id="Navigation-Apache"></a>Apache
+ </h5>
+ <ul>
+ <li>
+ <a href="http://www.apache.org/"; class="external-link"
rel="nofollow">Apache</a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/licenses/";
class="external-link" rel="nofollow">License</a>
+ </li>
+ <li>
+ <a
href="http://www.apache.org/foundation/sponsorship.html"; class="external-link"
rel="nofollow">Sponsorship</a>
+ </li>
+ <li>
+ <a href="http://apache.org/foundation/thanks.html";
class="external-link" rel="nofollow">Thanks</a>
+ </li>
+ </ul>
+</div>
+
+ <div id="contentbody">
+ <h1>CVE-2011-2712 - Apache Wicket XSS vulnerability</h1>
+ <p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected: Apache Wicket 1.4.x</p>
+
+<p>Apache Wicket 1.3.x and 1.5-RCx are not affected</p>
+
+<p>Description: With multi window support application configuration and
special query parameters it is possible to execute any kind of JavaScript on a
site running with the affected versions.</p>
+
+<p>Mitigation: Either disable multi window support with</p>
+
+<p>MyApp.java</p>
+<div class='highlight'><pre><code class='xml'>public void init() {
+ super.init();
+ getPageSettings.setAutomaticMultiWindowSupport(false);
+}
+</code></pre>
+</div>
+<p>or upgrade to <a
href='http://wicket.apache.org/2011/08/09/wicket-1.4.18-released.html'>Apache
Wicket 1.4.18</a> or <a
href='http://wicket.apache.org/2011/06/25/wicket-1.5-RC5.1-released.html'>Apache
Wicket 1.5-RC5.1</a></p>
+
+<p>Credit: This issue was discovered by Sven Krewitt of TÃV Rheinland
i-sec GmbH.</p>
+ </div>
+ <div id="clearer"></div>
+ <div id="footer"><span>
+Copyright © 2010 — The Apache Software Foundation. Apache Wicket,
+Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo
+are trademarks of The Apache Software Foundation. All other marks mentioned
+may be trademarks or registered trademarks of their respective owners.
+</span></div>
+
+ </div>
+</div>
+</body>
+</html>
Modified: wicket/common/site/trunk/_site/atom.xml
URL:
http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/atom.xml?rev=1160834&r1=1160833&r2=1160834&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/atom.xml (original)
+++ wicket/common/site/trunk/_site/atom.xml Tue Aug 23 18:26:22 2011
@@ -4,7 +4,7 @@
<title>Apache Wicket</title>
<link href="http://wicket.apache.org/atom.xml"; rel="self"/>
<link href="http://wicket.apache.org/"/>
- <updated>2011-08-09T17:13:04+03:00</updated>
+ <updated>2011-08-23T21:24:43+03:00</updated>
<id>http://wicket.apache.org/</id>
<author>
<name>Apache Wicket</name>
@@ -13,6 +13,33 @@
<entry>
+ <title>CVE-2011-2712 - Apache Wicket XSS vulnerability</title>
+ <link href="http://wicket.apache.org/2011/08/23/cve-2011-2712.html"/>
+ <updated>2011-08-23T00:00:00+03:00</updated>
+ <id>http://wicket.apache.org/2011/08/23/cve-2011-2712</id>
+ <content type="html"><p>Vendor: The Apache Software
Foundation</p>
+
+<p>Versions Affected: Apache Wicket 1.4.x</p>
+
+<p>Apache Wicket 1.3.x and 1.5-RCx are not affected</p>
+
+<p>Description: With multi window support application configuration and
special query parameters it is possible to execute any kind of JavaScript on a
site running with the affected versions.</p>
+
+<p>Mitigation: Either disable multi window support with</p>
+
+<p>MyApp.java</p>
+<div class='highlight'><pre><code class='xml'>public void
init() {
+ super.init();
+ getPageSettings.setAutomaticMultiWindowSupport(false);
+}
+</code></pre>
+</div>
+<p>or upgrade to <a
href='http://wicket.apache.org/2011/08/09/wicket-1.4.18-released.html'>Apache
Wicket 1.4.18</a> or <a
href='http://wicket.apache.org/2011/06/25/wicket-1.5-RC5.1-released.html'>Apache
Wicket 1.5-RC5.1</a></p>
+
+<p>Credit: This issue was discovered by Sven Krewitt of TÃV
Rheinland i-sec GmbH.</p></content>
+ </entry>
+
+ <entry>
<title>Wicket 1.4.18 released</title>
<link
href="http://wicket.apache.org/2011/08/09/wicket-1.4.18-released.html"/>
<updated>2011-08-09T00:00:00+03:00</updated>
@@ -234,46 +261,4 @@
</ul></content>
</entry>
- <entry>
- <title>Wicket 1.5-RC1 released</title>
- <link
href="http://wicket.apache.org/2011/01/22/wicket-1.5-RC1-released.html"/>
- <updated>2011-01-22T00:00:00+02:00</updated>
- <id>http://wicket.apache.org/2011/01/22/wicket-1.5-RC1-released</id>
- <content type="html"><p>The Wicket Team is proud to introduce the
first Release Candidate in Wicket 1.5 series. The 1.5 series provides the
following major improvements:</p>
-
-<ul>
-<li>A more powerful and flexible request processing pipeline</li>
-
-<li>Intercomponent event mechanism</li>
-
-<li>Improved configuration</li>
-
-<li>More flexible markup loading</li>
-
-<li>Better proxy support (x-forwarded-for header)</li>
-</ul>
-
-<p>More detailed migration notes are available on our <a
href='https://cwiki.apache.org/WICKET/migration-to-wicket-15.html'>Migrate
to 1.5 Wiki Page</a></p>
-
-<p>Release Artifacts:</p>
-
-<ul>
-<li><a
href='http://svn.apache.org/repos/asf/wicket/releases/wicket-1.5-RC1'>Subversion
tag</a></li>
-
-<li><a
href='https://issues.apache.org/jira/secure/IssueNavigator.jspa?reset=true&amp;&amp;pid=12310561&amp;fixfor=12315483&amp;sorter/field=issuekey&amp;sorter/order=DESC'>Changelog</a></li>
-
-<li>To use in Maven:</li>
-</ul>
-<div class='highlight'><pre><code class='xml'><span
class='nt'>&lt;dependency&gt;</span>
- <span
class='nt'>&lt;groupId&gt;</span>org.apache.wicket<span
class='nt'>&lt;/groupId&gt;</span>
- <span
class='nt'>&lt;artifactId&gt;</span>wicket<span
class='nt'>&lt;/artifactId&gt;</span>
- <span class='nt'>&lt;version&gt;</span>1.5-RC1<span
class='nt'>&lt;/version&gt;</span>
-<span class='nt'>&lt;/dependency&gt;</span>
-</code></pre>
-</div>
-<ul>
-<li>Download the <a
href='http://www.apache.org/dyn/closer.cgi/wicket/1.5-RC1'>full
distribution</a> (including source)</li>
-</ul></content>
- </entry>
-
</feed>
Modified: wicket/common/site/trunk/_site/index.html
URL:
http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/index.html?rev=1160834&r1=1160833&r2=1160834&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/index.html (original)
+++ wicket/common/site/trunk/_site/index.html Tue Aug 23 18:26:22 2011
@@ -164,6 +164,13 @@
<p>Wicket is released under the <a
href='http://www.apache.org/licenses/LICENSE-2.0.html'>Apache License, Version
2.0</a>.</p>
+<h1 id='cve20112712__apache_wicket_xss_vulnerability'><a
href='/2011/08/23/cve-2011-2712.html'>CVE-2011-2712 - Apache Wicket XSS
vulnerability</a></h1>
+<p>Vendor: The Apache Software Foundation</p><p>Versions Affected: Apache
Wicket 1.4.x</p><p>Apache Wicket 1.3.x and 1.5-RCx are not
affected</p><p>Description: With multi window support application configuration
and special query parameters it is possible to execute any kind of JavaScript
on a site running with the affected versions.</p><p>Mitigation: Either disable
multi window support with</p><p>MyApp.java</p><div class='highlight'><pre><code
class='xml'>public void init() {
+ super.init();
+ getPageSettings.setAutomaticMultiWindowSupport(false);
+}
+</code></pre>
+</div><p>or upgrade to <a
href='http://wicket.apache.org/2011/08/09/wicket-1.4.18-released.html'>Apache
Wicket 1.4.18</a> or <a
href='http://wicket.apache.org/2011/06/25/wicket-1.5-RC5.1-released.html'>Apache
Wicket 1.5-RC5.1</a></p><p>Credit: This issue was discovered by Sven
Krewitt of TÃV Rheinland i-sec GmbH.</p>
<h1 id='wicket_1418_released'><a
href='/2011/08/09/wicket-1.4.18-released.html'>Wicket 1.4.18 released</a></h1>
<p>This is eightteenth release of the Wicket 1.4.x series. This is primarily a
minor bugfix release on the 1.4.x (stable) branch.</p><ul>
<li><a
href='http://svn.apache.org/repos/asf/wicket/releases/wicket-1.4.18'>Subversion
tag</a></li>
@@ -179,23 +186,13 @@
</code></pre>
</div><ul>
<li>Download the <a
href='http://www.apache.org/dyn/closer.cgi/wicket/1.4.18'>full distribution</a>
(including source)</li>
-</ul>
-<h1 id='wicket_15rc51_released'><a
href='/2011/06/25/wicket-1.5-RC5.1-released.html'>Wicket 1.5-RC5.1
released</a></h1>
-<p>The Wicket Team is proud to introduce the fourth Release Candidate in
Wicket 1.5 series. See the changelog for the list of bug fixes and improvements
done between 1.5-RC4.2 and 1.5-RC5.1</p><p>More detailed migration notes are
available on our <a
href='https://cwiki.apache.org/WICKET/migration-to-wicket-15.html'>Migrate to
1.5 Wiki Page</a></p><p>Release Artifacts:</p><ul>
-<li><a
href='http://svn.apache.org/repos/asf/wicket/releases/wicket-1.5-RC5.1'>Subversion
tag</a></li>
+</ul><h1>Older news items</h1><ul>
-<li><a
href='https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310561&version=12316423'>Changelog</a></li>
-<li>To use in Maven:</li>
-</ul><div class='highlight'><pre><code class='xml'><span
class='nt'><dependency></span>
- <span class='nt'><groupId></span>org.apache.wicket<span
class='nt'></groupId></span>
- <span class='nt'><artifactId></span>wicket-core<span
class='nt'></artifactId></span>
- <span class='nt'><version></span>1.5-RC5.1<span
class='nt'></version></span>
-<span class='nt'></dependency></span>
-</code></pre>
-</div><ul>
-<li>Download the <a
href='http://www.apache.org/dyn/closer.cgi/wicket/1.5-RC5.1'>full
distribution</a> (including source)</li>
-</ul><h1>Older news items</h1><ul>
+<li>
+ <a href='/2011/06/25/wicket-1.5-RC5.1-released.html'>Wicket 1.5-RC5.1
released</a> - <span>25 Jun 2011</span><br />
+ The Wicket Team is proud to introduce the fourth Release Candidate in
Wicket 1.5 series. See the changelog for the list of bug fixes and...
+ <a href='/2011/06/25/wicket-1.5-RC5.1-released.html'>more</a></li>
<li>
@@ -251,12 +248,6 @@
This is fifteenth release of the Wicket 1.4.x series. This is primarily
a minor bugfix release on the 1.4.x (stable) branch. Subversion tag Changelog
To...
<a href='/2010/12/24/wicket-1.4.15-released.html'>more</a></li>
-
-<li>
- <a href='/2010/11/29/wicket-1.4.14-released.html'>Wicket 1.4.14
released</a> - <span>29 Nov 2010</span><br />
- This is fourteenth release of the Wicket 1.4.x series. This is
primarily a minor bugfix release on the 1.4.x (stable) branch. Subversion tag
Changelog To...
- <a href='/2010/11/29/wicket-1.4.14-released.html'>more</a></li>
-
</ul>
<h1 id='books_about_wicket'>Books about Wicket</h1>
