Hi there,
I'm trying to set up our dispatcher, but realize attacker able to bypass the default filter by appending ";%0aJLN.ico" such as some of the endpoints affected like "https://website.com/check.jsp;%0aJLN.ico"
I realize this extension below allow the attacker to go through any extension listed.
"/0041 { /type "allow" /extension '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?)' } ".
Is there a way/fix to handle the bypass and what rule or extension should I use instead?
Any help you could provide would be much appreciated!
Thanks!
Solved! Go to Solution.
Views
Replies
Total Likes
Hi @teaevo ,
Please consider removing "extension" from your filter section. For security reason you can implement below to allow the mime types.
/0041 { /type "allow" /glob "* *.css *" } # enable css
/0042 { /type "allow" /glob "* *.gif *" } # enable gifs
/0043 { /type "allow" /glob "* *.ico *" } # enable icos
/0044 { /type "allow" /glob "* *.js* *" } # enable javascript (with ?querystrings)
/0045 { /type "allow" /glob "* *.png *" } # enable png
/0046 { /type "allow" /glob "* *.swf *" } # enable flash
/0047 { /type "allow" /glob "* *.svg *" } # enable SVG
/0048 { /type "allow" /glob "* *.woff *" } # enable woff
/0049 { /type "allow" /glob "* *.ttf *" } # enable ttf
/0050 { /type "allow" /glob "* *.eot *" } # enable eot
/0051 { /type "allow" /glob "* *.jpg *" } # enable jpg
/0052 { /type "allow" /glob "* *.otf *" } # enable otf
For details you can look into this link: https://labs.f-secure.com/blog/securing-aem-with-dispatcher/
Hi @teaevo ,
Please consider removing "extension" from your filter section. For security reason you can implement below to allow the mime types.
/0041 { /type "allow" /glob "* *.css *" } # enable css
/0042 { /type "allow" /glob "* *.gif *" } # enable gifs
/0043 { /type "allow" /glob "* *.ico *" } # enable icos
/0044 { /type "allow" /glob "* *.js* *" } # enable javascript (with ?querystrings)
/0045 { /type "allow" /glob "* *.png *" } # enable png
/0046 { /type "allow" /glob "* *.swf *" } # enable flash
/0047 { /type "allow" /glob "* *.svg *" } # enable SVG
/0048 { /type "allow" /glob "* *.woff *" } # enable woff
/0049 { /type "allow" /glob "* *.ttf *" } # enable ttf
/0050 { /type "allow" /glob "* *.eot *" } # enable eot
/0051 { /type "allow" /glob "* *.jpg *" } # enable jpg
/0052 { /type "allow" /glob "* *.otf *" } # enable otf
For details you can look into this link: https://labs.f-secure.com/blog/securing-aem-with-dispatcher/
Is there any alternate solution if I want on the same line like '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?)' ?
Views
Replies
Total Likes
Hi @teaevo ,
Your given lines i have segregated and given separately in the comment. In place of "extenstion" use that set. That holds the same meaning.
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies