You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jspwiki.apache.org by Terry Steichen <te...@net-frame.com> on 2008/01/09 17:59:33 UTC
Module vulnerability?
I can't find the reference, but someone (Janne?) mentioned a
vulnerability of JSPWiki to hacking because the JSP modules aren't
behind WEB-INF. Could someone expand on this issue - how serious is it,
and if it is serious, what could be done to remedy it?
TIA,
Terry
Re: Module vulnerability?
Posted by Janne Jalkanen <Ja...@ecyrd.com>.
It is most certainly an irritant. I get about a dozen emails every
day with the error "WikiContext may not be null" from bots or hacking
attempts which are for some reason hitting the template JSP files
directly.
But I agree, I don't think this is a security risk.
The reference is here: https://issues.apache.org/jira/browse/JSPWIKI-43
/Janne
On 9 Jan 2008, at 19:43, Andrew Jaquith wrote:
> Moving this to the dev list...
>
> It's not especially serious; certainly no more so than with any
> other webapp. Basically, the issue is that a user could type in the
> direct URL of a template content file (/templates/default/
> EditContent.jsp) rather than the usual Edit.jsp.
>
> While we haven't tested this out too much, we're pretty sure that
> JSPs addressed in this way will simply cause a null-pointer
> exception or produce some other kind of harmless error. That's
> because the content files assume that a WikiContext is already
> instantiated by a top-level JSP like Edit.jsp. If you address the
> template JSPs directly, it won't have a WikiContext, and will thus
> simply fail.
>
> I'd call this an irritant rather than a security issue. We have no
> plans to fix this in the 2.x timeframe. It will be fixed in 3.0,
> when we move to Stripes.
>
> Bottom line: I do not believe this presents any kind of security risk.
>
> Andrew
>
>
> On Jan 9, 2008, at 11:59 AM, Terry Steichen wrote:
>
>> I can't find the reference, but someone (Janne?) mentioned a
>> vulnerability of JSPWiki to hacking because the JSP modules aren't
>> behind WEB-INF. Could someone expand on this issue - how serious
>> is it, and if it is serious, what could be done to remedy it?
>>
>> TIA,
>>
>> Terry
>>
Re: Module vulnerability?
Posted by Andrew Jaquith <an...@mac.com>.
Moving this to the dev list...
It's not especially serious; certainly no more so than with any other
webapp. Basically, the issue is that a user could type in the direct
URL of a template content file (/templates/default/EditContent.jsp)
rather than the usual Edit.jsp.
While we haven't tested this out too much, we're pretty sure that JSPs
addressed in this way will simply cause a null-pointer exception or
produce some other kind of harmless error. That's because the content
files assume that a WikiContext is already instantiated by a top-level
JSP like Edit.jsp. If you address the template JSPs directly, it won't
have a WikiContext, and will thus simply fail.
I'd call this an irritant rather than a security issue. We have no
plans to fix this in the 2.x timeframe. It will be fixed in 3.0, when
we move to Stripes.
Bottom line: I do not believe this presents any kind of security risk.
Andrew
On Jan 9, 2008, at 11:59 AM, Terry Steichen wrote:
> I can't find the reference, but someone (Janne?) mentioned a
> vulnerability of JSPWiki to hacking because the JSP modules aren't
> behind WEB-INF. Could someone expand on this issue - how serious is
> it, and if it is serious, what could be done to remedy it?
>
> TIA,
>
> Terry
>