Moving this to the dev list...
It's not especially serious; certainly no more so than with any other
webapp. Basically, the issue is that a user could type in the direct
URL of a template content file (/templates/default/EditContent.jsp)
rather than the usual Edit.jsp.
While we haven't tested this out too much, we're pretty sure that JSPs
addressed in this way will simply cause a null-pointer exception or
produce some other kind of harmless error. That's because the content
files assume that a WikiContext is already instantiated by a top-level
JSP like Edit.jsp. If you address the template JSPs directly, it won't
have a WikiContext, and will thus simply fail.
I'd call this an irritant rather than a security issue. We have no
plans to fix this in the 2.x timeframe. It will be fixed in 3.0, when
we move to Stripes.
Bottom line: I do not believe this presents any kind of security risk.
Andrew
On Jan 9, 2008, at 11:59 AM, Terry Steichen wrote:
I can't find the reference, but someone (Janne?) mentioned a
vulnerability of JSPWiki to hacking because the JSP modules aren't
behind WEB-INF. Could someone expand on this issue - how serious is
it, and if it is serious, what could be done to remedy it?
TIA,
Terry
