[ https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Vaynberg reopened WICKET-1992: ----------------------------------- > SharedResourceRequestTarget allows access to almost arbitrary files under > WEB-INF. > ---------------------------------------------------------------------------------- > > Key: WICKET-1992 > URL: https://issues.apache.org/jira/browse/WICKET-1992 > Project: Wicket > Issue Type: Bug > Affects Versions: 1.3.5, 1.4-RC1 > Reporter: Sebastiaan van Erk > Assignee: Juergen Donnerstag > Priority: Critical > Fix For: 1.4-RC2 > > Attachments: wicket1992-1.3.6-jdk1.4.diff > > > Hi All, > I've just run into what I consider a bit of a security issue with the > SharedResourceRequestTarget. It allows me to load files from the /WEB-INF > directory (though I have to guess the file names). > For example, if I see there is some bookmarkable page in the app with the > name com.myapp.pages.MyBookMarkablePage, I can request the following URL: > http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml > Replace log4j.xml with applicationContext.xml, or any other guesses for > useful files. > In both these files it is more than possible that there is sensitive > information such as database urls and passwords or mail server usernames and > passwords (though if you use a property configurator in Spring you might be > lucky since the password is then contained in a .properties file, which is > blocked by Wicket). > Of course there may be lots of other sensitive files in WEB-INF. > I know about the IPackageResourceGuard interface, however, only since today, > after looking into this problem. :-) I could build my own implementation with > a default deny policy and open up package resources on a need to have basis. > However, I REALLY think that Wicket should be secure by default, and a better > solution to this problem should be found... > Regards, > Sebastiaan -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.