Servlet path error: Resource at '/content/forms/af/geometrixx-gov/application-for-assistance/jcr:content/guideContainer.af.internalsubmit.js' is not modifiable

Question

Hello I have a question about the below error seen multiple times in our prod logs. Our's is a DAM implementation project. The reason for this error is specified as below:

"The actual issue is AEM could not resolve the servlet and assumes it as a resource path but this is not a valid resource path, the below exception will be thrown when AEM tries to set the property values."

Can someone help understand if this is a OOB servlet call and how to trace the servlet details? How to fix this error?

11.08.2021 08:03:41.851 *ERROR* [10.22.1.4 [1628669021846] POST /content/forms/af/geometrixx-gov/application-for-assistance/jcr:content/guideContainer.af.internalsubmit.js HTTP/1.1] org.apache.sling.servlets.post.impl.operations.ModifyOperation Exception during response processing.
org.apache.sling.api.resource.PersistenceException: Resource at '/content/forms/af/geometrixx-gov/application-for-assistance/jcr:content/guideContainer.af.internalsubmit.js' is not modifiable.
at org.apache.sling.servlets.post.impl.helper.SlingPropertyValueHandler.setProperty(SlingPropertyValueHandler.java:114) [org.apache.sling.servlets.post:2.3.26]
at org.apache.sling.servlets.post.impl.operations.ModifyOperation.writeContent(ModifyOperation.java:372) [org.apache.sling.servlets.post:2.3.26]
at org.apache.sling.servlets.post.impl.operations.ModifyOperation.doRun(ModifyOperation.java:93) [org.apache.sling.servlets.post:2.3.26]
at org.apache.sling.servlets.post.impl.operations.AbstractPostOperation.run(AbstractPostOperation.java:99) [org.apache.sling.servlets.post:2.3.26]
at org.apache.sling.servlets.post.impl.SlingPostServlet.doPost(SlingPostServlet.java:228) [org.apache.sling.servlets.post:2.3.26]

P_V_Nair · Accepted Answer

@asutosh_jena_ @ritesh_mittal Just to update my analysis till now. Got to know that this servlet call was not happening from our application code.

The paths in the log were exactly matching the guideContainer paths in here https://github.com/0ang3el/aem-hacker/blob/master/aem_hacker.py

Got some more information on this from here https://thedarksource.com/aem-testing-by-security-analysts-perspective-manual-and-automated-methods/ . Please check on section 'Main Vulnerabiltiy in AEM Component: GuideInternalSubmitServlet'

So I believe it should be part of some AEM hacker testing or someone was even trying to do this AEM hacker testing on our application. This is my finding. Please shout out if you sense anything else in this scenario.

Ritesh_Mittal · Answer

Hi @p_v_nair , This happens when the URL is not accessible. Check 'Apache Sling Servlet/Script Resolver'. Also, check the permission on the JS, is it accessible for the user since it is a POST call.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded