[
https://issues.apache.org/jira/browse/WICKET-5927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14593338#comment-14593338
]
ASF subversion and git services commented on WICKET-5927:
---------------------------------------------------------
Commit 3dff42aa7dfc57c4c98d0d7cd24f2ed8d8d7f668 in wicket's branch
refs/heads/wicket-1.5.x from [~mgrigorov]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=3dff42a ]
WICKET-5927 Velocity Remote Code Exception
Use custom velocity.properties for wicket-examples that is more strict and
doesn't allow usage of class loaders
(cherry picked from commit 3e418cd4a22b1af3a854cfb994166b40f53915d3)
> Velocity Remote Code Exception
> ------------------------------
>
> Key: WICKET-5927
> URL: https://issues.apache.org/jira/browse/WICKET-5927
> Project: Wicket
> Issue Type: Bug
> Components: site
> Reporter: sergej m
> Priority: Critical
> Fix For: 1.5.14, 6.21.0, 7.0.0-M7
>
> Attachments: Bildschirmfoto 2015-06-19 um 11.43.03.png, signature.asc
>
>
> Hello,
> arbitrary shellcode can be possibly executed, using e.g
> java.lang.Runtime.exec(String command) on wicket site:
> http://www.wicket-library.com/wicket-examples/velocity/wicket/bookmarkable/org.apache.wicket.examples.velocity.TemplatePage?3
> The server should use a secure config in
> org/apache/velocity/runtime/defaults/velocity.properties:
> runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector
> regards
> Sergej Michel
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
