CVE-2012-1089 - Apache Wicket serving of hidden files vulnerability

22 Mar 2012

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 1.4.x and 1.5.x

Description: It is possible to view the content of any file of a web application by using an Url to a Wicket resource which resolves to a ‘null’ package. With such a Url the attacker can request the content of any file by specifying its relative path, i.e. the attacker must know the file name to be able to request it.

Mitigation: Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides a whitelist of allowed resources. Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured list of allowed file extensions. Either setup SecurePackageResourceGuard with code like:

public class MyApp extends WebApplication {
    public void init() {
        super.init();
        SecurePackageResourceGuard guard = new SecurePackageResourceGuard();
        guard.addPattern(...);
        guard.addPattern(...);
        getResourceSettings().setPackageResourceGuard(guard);
    }
}

or upgrade Apache Wicket 1.4.20 or Apache Wicket 1.5.5

Credit: This issue was discovered by Sebastian van Erk.