svn commit: r1624997 - /wicket/common/site/trunk/_posts/2014-09-15-cve-2014-3526.md

Mon, 15 Sep 2014 04:07:15 -0700 

Author: adelbene
Date: Mon Sep 15 11:06:28 2014
New Revision: 1624997

URL: http://svn.apache.org/r1624997
Log:
Post entry for CVE-2014-3526

Added:
    wicket/common/site/trunk/_posts/2014-09-15-cve-2014-3526.md

Added: wicket/common/site/trunk/_posts/2014-09-15-cve-2014-3526.md
URL: 
http://svn.apache.org/viewvc/wicket/common/site/trunk/_posts/2014-09-15-cve-2014-3526.md?rev=1624997&view=auto
==============================================================================
--- wicket/common/site/trunk/_posts/2014-09-15-cve-2014-3526.md (added)
+++ wicket/common/site/trunk/_posts/2014-09-15-cve-2014-3526.md Mon Sep 15 
11:06:28 2014
@@ -0,0 +1,29 @@
+---
+layout: post
+title: CVE-2014-3526 - Apache Wicket Information disclosure vulnerability
+---
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache Wicket 1.5.11, 6.16.0 and 7.0.0-M2
+
+Description:
+
+
+When rendering a web page Wicket checks the request url against the one at the 
render time. It is possible the application to change the page parameters (this 
includes both the query parameters and parameters encoded into the request 
path). When the requested url differs with the one at the rendering time Wicket 
stores the response (i.e. the page markup) at the server side and issues an 
HTTP redirect to the new url. When the second request comes Wicket just flushes 
the stored response from the first request into the http output stream. This 
way the browser address bar shows the updated page parameters.
+When storing the page markup at the server side Wicket uses as an identifier a 
pair of the current session id plus the new url. However, Wicket does not check 
if user session is temporary (i.e. sessionId is null).
+This could lead to a security issue if two or more users with a temporary 
session are redirected to the same url at the same time. Then user1 might see 
the markup for user2 which has overrided the markup for user1 while user1 was 
following the HTTP redirect. In this way user-sensitive informations can be 
seen by other users.
+
+The application developers are recommended to upgrade to: 
+- [Apache Wicket 1.5.12]()
+- [Apache Wicket 6.17.0](/2014/08/24/wicket-6.17.0-released.html)
+- [Apache Wicket 7.0.0-M3](/2014/08/23/wicket-7.0.0-M3-released.html)
+
+Credit:
+This issue was reported by Andrea Del Bene and Martin Grigorov!
+
+Apache Wicket Team
\ No newline at end of file

Reply via email to