Return-Path: 
 <jspwiki-user-return-1089-apmail-incubator-jspwiki-user-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-jspwiki-user-archive@locus.apache.org
Received: (qmail 10569 invoked from network); 21 Jul 2008 14:16:15 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 21 Jul 2008 14:16:15 -0000
Received: (qmail 69090 invoked by uid 500); 21 Jul 2008 14:16:06 -0000
Delivered-To: apmail-incubator-jspwiki-user-archive@incubator.apache.org
Received: (qmail 69082 invoked by uid 500); 21 Jul 2008 14:16:06 -0000
Mailing-List: contact jspwiki-user-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:jspwiki-user-help@incubator.apache.org>
List-Unsubscribe: <mailto:jspwiki-user-unsubscribe@incubator.apache.org>
List-Post: <mailto:jspwiki-user@incubator.apache.org>
List-Id: <jspwiki-user.incubator.apache.org>
Reply-To: jspwiki-user@incubator.apache.org
Delivered-To: mailing list jspwiki-user@incubator.apache.org
Received: (qmail 69061 invoked by uid 99); 21 Jul 2008 14:16:06 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Jul 2008 07:16:06 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [208.97.132.5] (HELO homiemail-a1.g.dreamhost.com)
 (208.97.132.5)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Jul 2008 14:15:11 +0000
Received: from t61p.local (unknown [97.66.134.90])
	by homiemail-a1.g.dreamhost.com (Postfix) with ESMTP id D2B9B119DEB
	for <jspwiki-user@incubator.apache.org>;
 Mon, 21 Jul 2008 07:15:05 -0700 (PDT)
From: Vaughan Schmidt <vschmidt@schmidtusa.com>
Organization: The Schmidt Group, Inc.
To: jspwiki-user@incubator.apache.org
Subject: Known Security risks?
Date: Mon, 21 Jul 2008 10:15:04 -0400
User-Agent: KMail/1.9.9
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200807211015.04713.vschmidt@schmidtusa.com>
X-Virus-Checked: Checked by ClamAV on apache.org


This may not be quite the right forum to look for this information, but I'll 
ask anyways:

Wikis in general are notably insecure as it is in their nature to be open, 
editable, and accessible.  The permissioning and ACL features of JSPWiki seem 
to allow much more granular control that would be usefull in a corporate 
intranet environment.

(I know this is a broad question) What - if any - are known weaknesses within 
JSPWiki security?  Primarily concerned with unauthorized users viewing 
content or even portions / snippets of content they should never know exist.

One particular question (I could model this and test...) - When a user enters 
a search, are the Lucene results filtered by the user's permission to view 
that page?

I am currently uninstalling a competitive package because of just that 
weakness.  

For example:  Joe User searches for term "employee layoffs" and the search 
results show that this term is indeed contained on the page "2009 Business 
Plan" which he normally can not access.  But at least now, he knows that such 
a page does exist and does contain that search phrase - although the link to 
the page is non-functional per the ACL definition.

I'm asking the mailing list because some of these little security loopholes 
are hard to stumble across just in "sandbox" testing - a lot of them require 
the user to do something slightly unexpected to bring them to light.

Thank you-

Vaughan Schmidt