-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dispatcher Filters insecure #32
Comments
Thanks for highlighting this, we will investigate. |
I just had a customer try to go live with the config listed here. I ran my security scanner against the dispatcher and this was result for publish_filters.any: ################################################################### ERROR: /bin/crxde/logs IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /bin/querybuilder.feed.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /bin/querybuilder.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /bin/querybuilder.json.servlet;%0aa.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /bin/groovyconsole/audit.servlet IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /bin/groovyconsole/audit.servlet.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /bin/groovyconsole/audit.servlet;%0aa.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /bin/groovyconsole/post.servlet IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /bin/groovyconsole/post.servlet.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /bin/groovyconsole/post.servlet;%0aa.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content.s7publish.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/ IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/.blueprint.conf IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/.blueprint.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/.childrenlist.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/.infinity..json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/.infinity.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/.languages.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/.media.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/.offline.doc IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/.offline.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/.search.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/.tidy.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/.version.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/add_valid_page.html?debug=layout IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/content/geometrixx.sitemap.txt IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en._jcr_content.feed IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en.activity.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en.feed.html IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en.feed.xml IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en.html?debug=layout IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en.mcmtree.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en.pages.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en.paragraphs.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en.rss.xml IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en.views.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en/_jcr_content.feed IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en/_jcr_content.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en/geometrixx.sitemap.txt IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en/jcr IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en/jcr IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en/pagename._jcr_content.feed IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/mypage/en/pagename.jcr IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/screens.exportsearch.csv IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /content/usergenerated/mytestnode/ IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /crx/de/index.jsp;%0aa.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: ERROR: /crx/explorer/index.jsp;%0aa.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: |
AMS OOTB replaces 42 and 23 with following rule: This rule allows content to be access/0010 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/*" } ## disable this rule to allow mapped content only |
Tracking with CQDOC-16591. |
Hey there, Zach Jarrell from Adobe Managed Services. The filter rules on this page are known insecure and if AEM users were to put them in production risk serious exposure to crafted URLs and pivoting. Rule 22, 23, and 41, specifically. Allow crx access with a pivot, and 23 allows .tidy.json to load.
The text was updated successfully, but these errors were encountered: