It is most certainly an irritant. I get about a dozen emails every
day with the error "WikiContext may not be null" from bots or hacking
attempts which are for some reason hitting the template JSP files
directly.
But I agree, I don't think this is a security risk.
The reference is here: https://issues.apache.org/jira/browse/JSPWIKI-43
/Janne
On 9 Jan 2008, at 19:43, Andrew Jaquith wrote:
Moving this to the dev list...
It's not especially serious; certainly no more so than with any
other webapp. Basically, the issue is that a user could type in the
direct URL of a template content file (/templates/default/
EditContent.jsp) rather than the usual Edit.jsp.
While we haven't tested this out too much, we're pretty sure that
JSPs addressed in this way will simply cause a null-pointer
exception or produce some other kind of harmless error. That's
because the content files assume that a WikiContext is already
instantiated by a top-level JSP like Edit.jsp. If you address the
template JSPs directly, it won't have a WikiContext, and will thus
simply fail.
I'd call this an irritant rather than a security issue. We have no
plans to fix this in the 2.x timeframe. It will be fixed in 3.0,
when we move to Stripes.
Bottom line: I do not believe this presents any kind of security risk.
Andrew
On Jan 9, 2008, at 11:59 AM, Terry Steichen wrote:
I can't find the reference, but someone (Janne?) mentioned a
vulnerability of JSPWiki to hacking because the JSP modules aren't
behind WEB-INF. Could someone expand on this issue - how serious
is it, and if it is serious, what could be done to remedy it?
TIA,
Terry
