Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dispatcher Filters insecure #32

Open
jarrell-adobe opened this issue Aug 5, 2020 · 4 comments
Open

Dispatcher Filters insecure #32

jarrell-adobe opened this issue Aug 5, 2020 · 4 comments
Labels
Bug Problem with how the docs are working like an invalid link, non-rendering image, or broken nav Tracked Issue has been triaged and transferred to AdobeDocs Jira

Comments

@jarrell-adobe
Copy link

Hey there, Zach Jarrell from Adobe Managed Services. The filter rules on this page are known insecure and if AEM users were to put them in production risk serious exposure to crafted URLs and pivoting. Rule 22, 23, and 41, specifically. Allow crx access with a pivot, and 23 allows .tidy.json to load.
@aheim0 aheim0 added the Bug Problem with how the docs are working like an invalid link, non-rendering image, or broken nav label Aug 5, 2020
@aheim0
Copy link
Contributor

aheim0 commented Aug 5, 2020

Thanks for highlighting this, we will investigate.

@aheim0 aheim0 assigned ghost Aug 5, 2020
@jarrell-adobe
Copy link
Author

jarrell-adobe commented Aug 5, 2020
edited
Loading

I just had a customer try to go live with the config listed here.

Screen Shot 2020-08-05 at 3 37 18 AM

I ran my security scanner against the dispatcher and this was result for publish_filters.any:

###################################################################
Below ERRORs are regarding synopsys_publish_filters.any:

ERROR: /bin/crxde/logs IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0022 allowed 'GET /bin/crxde/logs HTTP/1.1'

ERROR: /bin/querybuilder.feed.css IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0041 allowed 'GET /bin/querybuilder.feed.css HTTP/1.1'

ERROR: /bin/querybuilder.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0022 allowed 'GET /bin/querybuilder.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0041 allowed 'GET /bin/querybuilder.json.servlet;%0aa.css HTTP/1.1'

ERROR: /bin/querybuilder.json.servlet;%0aa.css IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0041 allowed 'GET /bin/querybuilder.json.servlet;%0aa.css HTTP/1.1'

ERROR: /bin/groovyconsole/audit.servlet IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0022 allowed 'GET /bin/groovyconsole/audit.servlet HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/audit.servlet.css HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/audit.servlet;%0aa.css HTTP/1.1'

ERROR: /bin/groovyconsole/audit.servlet.css IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/audit.servlet.css HTTP/1.1'

ERROR: /bin/groovyconsole/audit.servlet;%0aa.css IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/audit.servlet;%0aa.css HTTP/1.1'

ERROR: /bin/groovyconsole/post.servlet IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0022 allowed 'GET /bin/groovyconsole/post.servlet HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/post.servlet.css HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/post.servlet;%0aa.css HTTP/1.1'

ERROR: /bin/groovyconsole/post.servlet.css IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/post.servlet.css HTTP/1.1'

ERROR: /bin/groovyconsole/post.servlet;%0aa.css IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/post.servlet;%0aa.css HTTP/1.1'

ERROR: /content.s7publish.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content.s7publish.json HTTP/1.1'

ERROR: /content/ IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/ HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/.blueprint.conf HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/.blueprint.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/.childrenlist.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/.infinity..json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/.infinity.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/.languages.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/.media.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/.offline.doc HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/.offline.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/.search.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/.tidy.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/.version.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/add_valid_page.html?debug=layout HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/content/geometrixx.sitemap.txt HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/mypage/en._jcr_content.feed HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en.activity.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/mypage/en.feed.html HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/mypage/en.feed.xml HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/mypage/en.html?debug=layout HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en.mcmtree.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/mypage/en.pages.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/mypage/en.paragraphs.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en.rss.xml HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/mypage/en.views.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/mypage/en/_jcr_content.feed HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/mypage/en/_jcr_content.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en/geometrixx.sitemap.txt HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/mypage/en/jcr:content.feed HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/mypage/en/jcr:content.json HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/mypage/en/pagename._jcr_content.feed HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en/pagename.jcr:content.feed HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/screens.exportsearch.csv HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/usergenerated/mytestnode/ HTTP/1.1'

ERROR: /content/.blueprint.conf IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/.blueprint.conf HTTP/1.1'

ERROR: /content/.blueprint.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/.blueprint.json HTTP/1.1'

ERROR: /content/.childrenlist.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/.childrenlist.json HTTP/1.1'

ERROR: /content/.infinity..json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/.infinity..json HTTP/1.1'

ERROR: /content/.infinity.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/.infinity.json HTTP/1.1'

ERROR: /content/.languages.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/.languages.json HTTP/1.1'

ERROR: /content/.media.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/.media.json HTTP/1.1'

ERROR: /content/.offline.doc IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/.offline.doc HTTP/1.1'

ERROR: /content/.offline.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/.offline.json HTTP/1.1'

ERROR: /content/.search.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/.search.json HTTP/1.1'

ERROR: /content/.tidy.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/.tidy.json HTTP/1.1'

ERROR: /content/.version.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/.version.json HTTP/1.1'

ERROR: /content/add_valid_page.html?debug=layout IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/add_valid_page.html?debug=layout HTTP/1.1'

ERROR: /content/content/geometrixx.sitemap.txt IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/content/geometrixx.sitemap.txt HTTP/1.1'

ERROR: /content/mypage/en._jcr_content.feed IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/mypage/en._jcr_content.feed HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/mypage/en/_jcr_content.feed HTTP/1.1'

ERROR: /content/mypage/en.activity.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en.activity.json HTTP/1.1'

ERROR: /content/mypage/en.feed.html IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/mypage/en.feed.html HTTP/1.1'

ERROR: /content/mypage/en.feed.xml IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/mypage/en.feed.xml HTTP/1.1'

ERROR: /content/mypage/en.html?debug=layout IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/mypage/en.html?debug=layout HTTP/1.1'

ERROR: /content/mypage/en.mcmtree.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en.mcmtree.json HTTP/1.1'

ERROR: /content/mypage/en.pages.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/mypage/en.pages.json HTTP/1.1'

ERROR: /content/mypage/en.paragraphs.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/mypage/en.paragraphs.json HTTP/1.1'

ERROR: /content/mypage/en.rss.xml IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en.rss.xml HTTP/1.1'

ERROR: /content/mypage/en.views.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/mypage/en.views.json HTTP/1.1'

ERROR: /content/mypage/en/_jcr_content.feed IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/mypage/en/_jcr_content.feed HTTP/1.1'

ERROR: /content/mypage/en/_jcr_content.json IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/mypage/en/_jcr_content.json HTTP/1.1'

ERROR: /content/mypage/en/geometrixx.sitemap.txt IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en/geometrixx.sitemap.txt HTTP/1.1'

ERROR: /content/mypage/en/jcr IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/mypage/en/jcr:content.feed HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/mypage/en/jcr:content.json HTTP/1.1'

ERROR: /content/mypage/en/jcr IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/mypage/en/jcr:content.feed HTTP/1.1'
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/mypage/en/jcr:content.json HTTP/1.1'

ERROR: /content/mypage/en/pagename._jcr_content.feed IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/mypage/en/pagename._jcr_content.feed HTTP/1.1'

ERROR: /content/mypage/en/pagename.jcr IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en/pagename.jcr:content.feed HTTP/1.1'

ERROR: /content/screens.exportsearch.csv IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/screens.exportsearch.csv HTTP/1.1'

ERROR: /content/usergenerated/mytestnode/ IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/usergenerated/mytestnode/ HTTP/1.1'

ERROR: /crx/de/index.jsp;%0aa.css IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0041 allowed 'GET /crx/de/index.jsp;%0aa.css HTTP/1.1'

ERROR: /crx/explorer/index.jsp;%0aa.css IS RETURNING 200 ON PUBLISHER. Relevant log entries:
[Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0041 allowed 'GET /crx/explorer/index.jsp;%0aa.css HTTP/1.1'

@aheim0 aheim0 assigned ghost and unassigned ghost Aug 5, 2020
@jarrell-adobe
Copy link
Author

AMS OOTB replaces 42 and 23 with following rule:

This rule allows content to be access

/0010 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/*" } ## disable this rule to allow mapped content only

@aheim0
Copy link
Contributor

aheim0 commented Aug 5, 2020

Tracking with CQDOC-16591.

@bohnertchris bohnertchris added the Tracked Issue has been triaged and transferred to AdobeDocs Jira label Apr 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Problem with how the docs are working like an invalid link, non-rendering image, or broken nav Tracked Issue has been triaged and transferred to AdobeDocs Jira
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bohnertchris @aheim0 @jarrell-adobe