[
https://issues.apache.org/jira/browse/WICKET-5927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Martin Grigorov resolved WICKET-5927.
-------------------------------------
Resolution: Fixed
Wicket-Examples now uses custom velocity.properties so it doesn't allow usage
of classloaders and thus prevents the vulnerability.
Applications should do the same if they need the same security.
Thanks for reporting!
> Velocity remote code execution
> ------------------------------
>
> Key: WICKET-5927
> URL: https://issues.apache.org/jira/browse/WICKET-5927
> Project: Wicket
> Issue Type: Bug
> Components: site
> Reporter: sergej m
> Assignee: Martin Grigorov
> Priority: Critical
> Fix For: 1.5.14, 6.21.0, 7.0.0-M7
>
> Attachments: signature.asc
>
>
> Hello,
> arbitrary shellcode can be possibly executed, using e.g
> java.lang.Runtime.exec(String command) on wicket site:
> http://www.wicket-library.com/wicket-examples/velocity/wicket/bookmarkable/org.apache.wicket.examples.velocity.TemplatePage?3
> The server should use a secure config in
> org/apache/velocity/runtime/defaults/velocity.properties:
> runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector
> regards
> Sergej Michel
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
