Martin Grigorov
2014-09-22 07:31:41 UTC
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 1.5.11, 6.16.0 and 7.0.0-M2
Description:
When rendering a web page Wicket checks the request url against the one at
the render time. It is possible the application to change the page
parameters (this includes both the query parameters and parameters encoded
into the request path). When the requested url differs with the one at the
rendering time Wicket stores the response (i.e. the page markup) at the
server side and issues an HTTP redirect to the new url. When the second
request comes Wicket just flushes the stored response from the first
request into the http output stream. This way the browser address bar shows
the updated page parameters.
When storing the page markup at the server side Wicket uses as an
identifier a pair of the current session id plus the new url. However,
Wicket does not check if user session is temporary (i.e. sessionId is null).
This could lead to a security issue if two or more users with a temporary
session are redirected to the same url at the same time. Then user1 might
see the markup for user2 which has overridden the markup for user1 while
user1 was following the HTTP redirect. In this way user-sensitive
informations can be seen by other users.
The application developers are recommended to upgrade to:
- Apache Wicket 1.5.12
<http://wicket.apache.org/2014/09/15/wicket-1.5.12-released.html>
- Apache Wicket 6.17.0
<http://wicket.apache.org/2014/08/24/wicket-6.17.0-released.html>
- Apache Wicket 7.0.0-M3
<http://wicket.apache.org/2014/08/23/wicket-7.0.0-M3-released.html>
Credit:
This issue was reported by Andrea Del Bene and Martin Grigorov!
Apache Wicket Team
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 1.5.11, 6.16.0 and 7.0.0-M2
Description:
When rendering a web page Wicket checks the request url against the one at
the render time. It is possible the application to change the page
parameters (this includes both the query parameters and parameters encoded
into the request path). When the requested url differs with the one at the
rendering time Wicket stores the response (i.e. the page markup) at the
server side and issues an HTTP redirect to the new url. When the second
request comes Wicket just flushes the stored response from the first
request into the http output stream. This way the browser address bar shows
the updated page parameters.
When storing the page markup at the server side Wicket uses as an
identifier a pair of the current session id plus the new url. However,
Wicket does not check if user session is temporary (i.e. sessionId is null).
This could lead to a security issue if two or more users with a temporary
session are redirected to the same url at the same time. Then user1 might
see the markup for user2 which has overridden the markup for user1 while
user1 was following the HTTP redirect. In this way user-sensitive
informations can be seen by other users.
The application developers are recommended to upgrade to:
- Apache Wicket 1.5.12
<http://wicket.apache.org/2014/09/15/wicket-1.5.12-released.html>
- Apache Wicket 6.17.0
<http://wicket.apache.org/2014/08/24/wicket-6.17.0-released.html>
- Apache Wicket 7.0.0-M3
<http://wicket.apache.org/2014/08/23/wicket-7.0.0-M3-released.html>
Credit:
This issue was reported by Andrea Del Bene and Martin Grigorov!
Apache Wicket Team