You are here

U-132: Apache Wicket Input Validation Flaw in 'wicket:pageMapName' Parameter Permits Cross-Site Scripting Attacks

March 23, 2012 - 7:42am

Addthis

PROBLEM:

Apache Wicket Input Validation Flaw in 'wicket:pageMapName' Parameter Permits Cross-Site Scripting Attacks

PLATFORM:

Apache Wicket 1.4.x

ABSTRACT:

A remote user can conduct cross-site scripting attacks.

referenceĀ  LINKS:

Apache Wicket
CVE-2012-0047
SecurityTracker Alert ID: 1026839

IMPACT ASSESSMENT:

High

Discussion:

The software does not properly filter HTML code from user-supplied input in the 'wicket:pageMapName' request parameter before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Apache Wicket software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Impact:

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Apache Wicket software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:

Upgrade to Apache Wicket 1.4.20 or Apache Wicket 1.5.5

Addthis