[jira] [Updated] (WICKET-5927) Velocity remote code execution

sergej m (JIRA) Fri, 19 Jun 2015 12:48:37 -0700

     [ 
https://issues.apache.org/jira/browse/WICKET-5927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


sergej m updated WICKET-5927:
-----------------------------
    Summary: Velocity remote code execution  (was: Velocity Remote Code 
Exception)

> Velocity remote code execution
> ------------------------------
>
>                 Key: WICKET-5927
>                 URL: https://issues.apache.org/jira/browse/WICKET-5927
>             Project: Wicket
>          Issue Type: Bug
>          Components: site
>            Reporter: sergej m
>            Assignee: Martin Grigorov
>            Priority: Critical
>             Fix For: 1.5.14, 6.21.0, 7.0.0-M7
>
>         Attachments: signature.asc
>
>
> Hello,
> arbitrary shellcode can be possibly executed, using e.g 
> java.lang.Runtime.exec(String command) on wicket site:
> http://www.wicket-library.com/wicket-examples/velocity/wicket/bookmarkable/org.apache.wicket.examples.velocity.TemplatePage?3
> The server should use a secure config in 
> org/apache/velocity/runtime/defaults/velocity.properties:
> runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector
> regards
> Sergej Michel



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (WICKET-5927) Velocity remote code execution

Reply via email to