Adobe Experience Manager Sites & More

teaevo · 2/15/22

Hi there,

I'm trying to set up our dispatcher, but realize attacker able to bypass the default filter by appending ";%0aJLN.ico" such as some of the endpoints affected like "https://website.com/check.jsp;%0aJLN.ico"

I realize this extension below allow the attacker to go through any extension listed.

"/0041 { /type "allow" /extension '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?)' } ".

Is there a way/fix to handle the bypass and what rule or extension should I use instead?

Any help you could provide would be much appreciated!

Thanks!

tb1687196 · 2/15/22

Hi @teaevo ,

Please consider removing "extension" from your filter section. For security reason you can implement below to allow the mime types.

/0041 { /type "allow" /glob "* *.css *" } # enable css
/0042 { /type "allow" /glob "* *.gif *" } # enable gifs
/0043 { /type "allow" /glob "* *.ico *" } # enable icos
/0044 { /type "allow" /glob "* *.js* *" } # enable javascript (with ?querystrings)
/0045 { /type "allow" /glob "* *.png *" } # enable png
/0046 { /type "allow" /glob "* *.swf *" } # enable flash
/0047 { /type "allow" /glob "* *.svg *" } # enable SVG
/0048 { /type "allow" /glob "* *.woff *" } # enable woff
/0049 { /type "allow" /glob "* *.ttf *" } # enable ttf
/0050 { /type "allow" /glob "* *.eot *" } # enable eot
/0051 { /type "allow" /glob "* *.jpg *" } # enable jpg
/0052 { /type "allow" /glob "* *.otf *" } # enable otf

For details you can look into this link: https://labs.f-secure.com/blog/securing-aem-with-dispatcher/

View solution in original post

tb1687196 · 2/15/22

Hi @teaevo ,

Please consider removing "extension" from your filter section. For security reason you can implement below to allow the mime types.

/0041 { /type "allow" /glob "* *.css *" } # enable css
/0042 { /type "allow" /glob "* *.gif *" } # enable gifs
/0043 { /type "allow" /glob "* *.ico *" } # enable icos
/0044 { /type "allow" /glob "* *.js* *" } # enable javascript (with ?querystrings)
/0045 { /type "allow" /glob "* *.png *" } # enable png
/0046 { /type "allow" /glob "* *.swf *" } # enable flash
/0047 { /type "allow" /glob "* *.svg *" } # enable SVG
/0048 { /type "allow" /glob "* *.woff *" } # enable woff
/0049 { /type "allow" /glob "* *.ttf *" } # enable ttf
/0050 { /type "allow" /glob "* *.eot *" } # enable eot
/0051 { /type "allow" /glob "* *.jpg *" } # enable jpg
/0052 { /type "allow" /glob "* *.otf *" } # enable otf

For details you can look into this link: https://labs.f-secure.com/blog/securing-aem-with-dispatcher/

teaevo · 2/15/22

Is there any alternate solution if I want on the same line like '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?)' ?

tb1687196 · 2/16/22

Hi @teaevo ,

Your given lines i have segregated and given separately in the comment. In place of "extenstion" use that set. That holds the same meaning.

Adobe Experience Manager Sites & More

AEM Dispatcher handle bypass extension filter

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe