AEM Dispatcher handle bypass extension filter

Question

Hi there,

I'm trying to set up our dispatcher, but realize attacker able to bypass the default filter by appending ";%0aJLN.ico" such as some of the endpoints affected like "https://website.com/check.jsp;%0aJLN.ico"

I realize this extension below allow the attacker to go through any extension listed.

"/0041 { /type "allow" /extension '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?)' } ".

Is there a way/fix to handle the bypass and what rule or extension should I use instead?

Any help you could provide would be much appreciated!

Thanks!

tb1687196 · Accepted Answer

Hi @teaevo ,Please consider removing "extension" from your filter section. For security reason you can implement below to allow the mime types. /0041 { /type "allow" /glob "* *.css *" } # enable css/0042 { /type "allow" /glob "* *.gif *" } # enable gifs/0043 { /type "allow" /glob "* *.ico *" } # enable icos/0044 { /type "allow" /glob "* *.js* *" } # enable javascript (with ?querystrings)/0045 { /type "allow" /glob "* *.png *" } # enable png/0046 { /type "allow" /glob "* *.swf *" } # enable flash/0047 { /type "allow" /glob "* *.svg *" } # enable SVG/0048 { /type "allow" /glob "* *.woff *" } # enable woff/0049 { /type "allow" /glob "* *.ttf *" } # enable ttf/0050 { /type "allow" /glob "* *.eot *" } # enable eot/0051 { /type "allow" /glob "* *.jpg *" } # enable jpg/0052 { /type "allow" /glob "* *.otf *" } # enable otf For details you can look into this link: https://labs.f-secure.com/blog/securing-aem-with-dispatcher/

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded