This post originated from an RSS feed registered with Java Buzz by Simon Brown. Original Post: JRoller hacked - what about Pebble? Feed Title: Simon Brown's weblog Feed URL: http://www.simongbrown.com/blog/feed.xml?flavor=rss20&category=java Feed Description: My thoughts on Java, software development and technology. Latest Java Buzz Posts Latest Java Buzz Posts by Simon Brown Latest Posts From Simon Brown's weblog

I've had a couple of Pebble users e-mail about the recent JRoller hack, asking whether Pebble is susceptible to the same thing? Well...

Pebble is JSP-based web application and each of the views, including the themes, is implemented using JSP. I've had this discussion a few times before with various people, but basically the main reason why you won't find a "sign up for your own Pebble powered blog here" page is because Pebble's views are all JSP. In fact, I've even recommended people take a look at Roller or blojsom where they've wanted to run a site like JRoller.

With Pebble, each blog (in single or multi-user mode) has a custom theme containing a number of JSPs that can be edited. There's even a nice UI so that themes can be managed and edited at runtime, via a web browser. Since blog owners can edit the theme associated with their blog, they can write any arbitrary Java code into the page and have that executed.

So, bearing in mind that the user was already signed up to JRoller with an account, this hack took advantage of that fact that there wasn't a straightforward way to upload and execute JSP pages. With Pebble, uploading and editing JSP files is part of the product. Anybody with access to a Pebble blog can upload and edit JSPs and to answer the original question, yes, you can run arbitary code if you have access to the blog. Pebble is all about simplicity, power and a rich user experience with standard technologies. Of course, there are a number of ways to limit the code that can be executed and I'll write about some of these over the next few days.