Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

AEM Dispatcher handle bypass extension filter

Avatar

Level 1

Hi there,

 

I'm trying to set up our dispatcher, but realize attacker able to bypass the default filter by appending ";%0aJLN.ico" such as some of the endpoints affected like "https://website.com/check.jsp;%0aJLN.ico"

 

I realize this extension below allow the attacker to go through any extension listed.

"/0041 { /type "allow" /extension '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?)' } ".

 

Is there a way/fix to handle the bypass and what rule or extension should I use instead?

 

Any help you could provide would be much appreciated!

Thanks!

1 Accepted Solution

Avatar

Correct answer by
Level 3

Hi @teaevo ,

Please consider removing "extension" from your filter section. For security reason you can implement below to allow the mime types. 

/0041 { /type "allow" /glob "* *.css *" } # enable css
/0042 { /type "allow" /glob "* *.gif *" } # enable gifs
/0043 { /type "allow" /glob "* *.ico *" } # enable icos
/0044 { /type "allow" /glob "* *.js* *" } # enable javascript (with ?querystrings)
/0045 { /type "allow" /glob "* *.png *" } # enable png
/0046 { /type "allow" /glob "* *.swf *" } # enable flash
/0047 { /type "allow" /glob "* *.svg *" } # enable SVG
/0048 { /type "allow" /glob "* *.woff *" } # enable woff
/0049 { /type "allow" /glob "* *.ttf *" } # enable ttf
/0050 { /type "allow" /glob "* *.eot *" } # enable eot
/0051 { /type "allow" /glob "* *.jpg *" } # enable jpg
/0052 { /type "allow" /glob "* *.otf *" } # enable otf

 

For details you can look into this link: https://labs.f-secure.com/blog/securing-aem-with-dispatcher/


View solution in original post

3 Replies

Avatar

Correct answer by
Level 3

Hi @teaevo ,

Please consider removing "extension" from your filter section. For security reason you can implement below to allow the mime types. 

/0041 { /type "allow" /glob "* *.css *" } # enable css
/0042 { /type "allow" /glob "* *.gif *" } # enable gifs
/0043 { /type "allow" /glob "* *.ico *" } # enable icos
/0044 { /type "allow" /glob "* *.js* *" } # enable javascript (with ?querystrings)
/0045 { /type "allow" /glob "* *.png *" } # enable png
/0046 { /type "allow" /glob "* *.swf *" } # enable flash
/0047 { /type "allow" /glob "* *.svg *" } # enable SVG
/0048 { /type "allow" /glob "* *.woff *" } # enable woff
/0049 { /type "allow" /glob "* *.ttf *" } # enable ttf
/0050 { /type "allow" /glob "* *.eot *" } # enable eot
/0051 { /type "allow" /glob "* *.jpg *" } # enable jpg
/0052 { /type "allow" /glob "* *.otf *" } # enable otf

 

For details you can look into this link: https://labs.f-secure.com/blog/securing-aem-with-dispatcher/


Avatar

Level 1

Is there any alternate solution if I want on the same line like '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?)' ?

Avatar

Level 3

Hi @teaevo ,

Your given lines i have segregated and given separately in the comment. In place of "extenstion" use that set. That holds the same meaning.