Vendor: The Apache Software Foundation
Versions Affected: Apache Wicket 1.4.x and 1.5.x
Description: It is possible to view the content of any file of a web application by using an Url to a Wicket resource which resolves to a ‘null’ package. With such a Url the attacker can request the content of any file by specifying its relative path, i.e. the attacker must know the file name to be able to request it.
Mitigation: Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides a whitelist of allowed resources. Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured list of allowed file extensions. Either setup SecurePackageResourceGuard with code like:
Credit: This issue was discovered by Sebastian van Erk.