Friday Jul 27, 2007

JSPWiki Serious Security Issue - Beware of Install.jsp and SecurityConfig.jsp files

Older versions of  JSPWiki (say JSPWiki v2.2.28) have some serious back door which if you are not aware will allow any users to cause serious damage to your wiki. Sun Portal Server 7.0 / 7.1 customers should be aware of this issue and make sure that portal server wiki portlet is secure . For sites hosted on independent JSPWiki system, they should make sure that external users cannot access the below files:

(a)/../wiki/Install.jsp     (b)/../wiki/admin/SecurityConfig.jsp

 In a portal server deployment scenario, if the wiki system is not made secure , any user can access the /wiki/Install.jsp web page directly and bring it down. Below is a worse case:

Suppose you set up a portal server as http://abc.india.sun.com/portal . Assuming its a default installation where you wont do much of a changes, now access the URL,  http://abc.india.sun.com/wiki/Install.jsp
2. The Install.jsp file is a form which allows any user to update its contents (say users can change Application Name: , Base URL: , File storage: , Work directory: etc )
3. After updating this form, now click on configure button and restart the container. Try to access wiki within portalserver 

Issue :  You will now see that , wiki tab displays error
 (Update 23/aug/2007 : This issue is now fixed in the latest build) 

Saturday Jun 23, 2007

JSPWiki displays Access Denied Error for Admin user

After deploying jspwiki.war successfully in Sun Web Server, whenever i try to login as admin, i get the below error

 WebPages displays this error:  "Forbidden. Sorry, but you are not allowed to do that. Usually we block access to something because you do not have the correct privileges (e.g., read, edit, comment) for the page you are looking for..."

Jspwiki.log displays error :  INFO com.ecyrd.jspwiki.WikiContext JSPWiki:http://site - User Admin has no access - forbidden (permission=("com.ecyrd.jspwiki.auth.permissions.PagePermission","JSPWiki:Main", "view" ))

Now to make jspwiki work , i had to remove the signedBy "jspwiki" entry from WEB-INF/jspwiki.policy file  and restart the container

Sunday Jun 17, 2007

Configuring JSPWiki for Sun Web Server (6.1)

After deploying JSPWiki.war :

1. Access the URL (http://localhost:8080/JSPWiki) . If everything is successfully configured, you should see the Main wiki page.

Note: If you get a Login page instead of Main page when you access the above url, then there is some problem with WEB-INF/jspwiki.policy file. See here for troubleshooting

2. There are two ways by which you can proceed from here:

I. Access Install.jsp and get a admin user password configured by jspwiki

(a)Access the Install.jsp file (http://localhost:8080/JSPWiki/Install.jsp)

(b)Set the application name, Pages/Log/Work directories and click Configure button

(c) Note down the password . Login with the admin password and change it to your custom password (MyPrefs >> Set Admin user details >> Save the page)

(d) Your new wiki will be configured successfully . You need to restart the container for this effect to take place

 
II. Else Create Admin user from MyPrefs link

(a) Firstly create a Admin user (MyPrefs >> Set Admin user details >> Save the page)

(b) Now you are automatically logged in as Admin user

Note: Install.jsp file displays jspwiki.properties file contents. Any changes made thru the UI will be updated in the JSPWiki.properties (usually you can see that this entry at the bottom of jspwiki.properties file which overrides the default ones)

Note : Normally once admin user is created , then you cant access
Install.jsp file . To access the Install.jsp again, you need to delete
the admin user details from userdatabase.xml file



About

I'm a Quality Engineer at Sun Microsystems. Here in this blog, you may find information about Software Testing, Portal Server, Virtualization, Web2.0 and Misc Technical topics. The views expressed here are personal and does not reflect that of my employer

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today