[
https://issues.apache.org/jira/browse/WICKET-5927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14593335#comment-14593335
]
ASF subversion and git services commented on WICKET-5927:
---------------------------------------------------------
Commit 3e418cd4a22b1af3a854cfb994166b40f53915d3 in wicket's branch
refs/heads/wicket-6.x from [~mgrigorov]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=3e418cd ]
WICKET-5927 Velocity Remote Code Exception
Use custom velocity.properties for wicket-examples that is more strict and
doesn't allow usage of class loaders
> Velocity Remote Code Exception
> ------------------------------
>
> Key: WICKET-5927
> URL: https://issues.apache.org/jira/browse/WICKET-5927
> Project: Wicket
> Issue Type: Bug
> Components: site
> Reporter: sergej m
> Priority: Critical
> Attachments: Bildschirmfoto 2015-06-19 um 11.43.03.png, signature.asc
>
>
> Hello,
> arbitrary shellcode can be possibly executed, using e.g
> java.lang.Runtime.exec(String command) on wicket site:
> http://www.wicket-library.com/wicket-examples/velocity/wicket/bookmarkable/org.apache.wicket.examples.velocity.TemplatePage?3
> The server should use a secure config in
> org/apache/velocity/runtime/defaults/velocity.properties:
> runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector
> regards
> Sergej Michel
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
