Adobe Experience Manager

These are very specific URLs, which should be covered already by the list provided as part of the security checklist. So from my point of view it does not make very much sense to block these specifically, but to check if the checklist is active at all.

    # open consoles

  #    /0012 { /type "allow" /glob "* /crx/*"    }  # allow content repository

  #    /0013 { /type "allow" /glob "* /system/*" }  # allow OSGi console

    # allow non-public content directories

  #    /0021 { /type "allow" /glob "* /apps/*"   }  # allow apps access

  #    /0022 { /type "allow" /glob "* /bin/*"    }

should block all requests to /bin/* and /crx/* (which is a superset of the URLs mentioned). Can you check if you can access CRX DE Lite through the dispatcher (you shouldn't)?

Jörg

Joerg Hoh​ need your assistance.

Seems like /crx/explorer/index.jsp;%0aa.css is blocked. But /bin/querybuilder.feed.css is not blocked. Can I get ideas on how to implement this?

Using the below configs, I was able to block /crx/de/index.jsp;%0aa.css and /bin/querybuilder.json.servlet;%0aa.css

{ /type "deny" /url"/crx/*.css"}

{ /type "deny" /url "/bin/querybuilder*.css"}

But I am not able to block /crx/explorer/index.jsp;%0aa.css and /bin/querybuilder.feed.css

So for blocking the above paths/URL's, Can this configs be used?

{ /type "deny" /url "/bin/querybuilder*.*.css" }

{ /type "deny" /url "/crx/explorer/*.css" }

you missed ";0a" in your config

try these -

{ /type "deny" /path"/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}

{ /type "deny" /path"/crx/*" /extension '(css)'}

or

{ /type "deny" /url"/crx/*.css"}

{ /type "deny" /url "/bin/querybuilder*.css"}

Here is our config file.

  # only handle the requests in the following acl. default is 'none'

  # the glob pattern is matched against the first request line

  /filter

    {

    # deny everything and allow specific entries

    /0001 { /type "deny"  /glob "*" }

    # open consoles

  #    /0012 { /type "allow" /glob "* /crx/*"    }  # allow content repository

  #    /0013 { /type "allow" /glob "* /system/*" }  # allow OSGi console

    # allow non-public content directories

  #    /0021 { /type "allow" /glob "* /apps/*"   }  # allow apps access

  #    /0022 { /type "allow" /glob "* /bin/*"    }

    /0023 { /type "allow" /glob "* /content*" }  # disable this rule to allow mapped content only

    /0024 { /type "deny" /glob "* /content/boost*" }  #block boost on sprint.com

  #    /0024 { /type "allow" /glob "* /libs/*"   }

  #    /0025 { /type "deny"  /glob "* /libs/shindig/proxy*" } # if you enable /libs close access to proxy

  #    /0026 { /type "allow" /glob "* /home/*"   }

  #    /0027 { /type "allow" /glob "* /tmp/*"    }

  #    /0028 { /type "allow" /glob "* /var/*"    }

    # enable specific mime types in non-public content directories

    /0041 { /type "allow" /glob "* *.css *"   }  # enable css

    /0042 { /type "allow" /glob "* *.gif *"   }  # enable gifs

    /0043 { /type "allow" /glob "* *.ico *"   }  # enable icos

    /0044 { /type "allow" /glob "* *.js *"    }  # enable javascript

    /0045 { /type "allow" /glob "* *.png *"   }  # enable png

    /0046 { /type "allow" /glob "* *.swf *"   }  # enable flash

    /0047 { /type "allow" /glob "* *.svg *"   }  # enable SVG

    /0048 { /type "allow" /glob "* *.woff *"  }  # enable woff

    /0049 { /type "allow" /glob "* *.ttf *"   }  # enable ttf

    /0050 { /type "allow" /glob "* *.eot *"   }  # enable eot

    /0051 { /type "allow" /glob "* *.jpg *"   }  # enable jpg

    /0052 { /type "allow" /glob "* *.woff2 *"  }  # enable woff2

    /0053 { /type "allow" /glob "* *.map *"  }  # enable source maps

    # enable features

    /0061 { /type "allow" /glob "POST /content/[.]*.form.html" }  # allow POSTs to form selectors under content

    /0062 { /type "allow" /glob "* /libs/cq/personalization/*" }  # enable personalization

    /0063 { /type "allow" /glob "POST /content/[.]*.commerce.cart.json" }  # allow POSTs to update the shopping cart

    # deny content grabbing

    /0081 { /type "deny"  /glob "GET *.infinity.json*" }

    /0082 { /type "deny"  /glob "GET *.tidy.json*"     }

    /0083 { /type "deny"  /glob "GET *.sysview.xml*"   }

    /0084 { /type "deny"  /glob "GET *.docview.json*"  }

    /0085 { /type "deny"  /glob "GET *.docview.xml*"   }

    /0086 { /type "deny"  /glob "GET *.*[0-9].json*"   }

    /0087 { /type "deny"  /glob "GET *.feed.xml*"      }

  #    /0088 { /type "allow" /glob "GET *.1.json*"        }  # allow one-level json requests

    # deny query

    /0090 { /type "deny"  /glob "* *.query.json*" }

  #Elham's changes

    /0091 { /type "deny"  /glob "GET /content.pages.json*"      }

    /0092 { /type "deny"  /glob "GET /content.languages.json*"      }

    /0093 { /type "deny"  /glob "GET /content.blueprint.json*"      }

    /0094 { /type "deny"  /glob "GET /content.feed.html*"      }

  # allow new data servlet - must appear after the deny content grabbing rule, as selectors may end with a digit.

    /0100 { /type "allow" /glob "GET /etc/devices.*.json*"    }

    /0101 { /type "allow" /glob "GET /etc/accessories.*.json*"    }

    /0102 { /type "allow" /glob "GET /etc/services.*.json*"    }

    /0103 { /type "allow" /glob "GET /etc/plans.*.json*"    }

    /0104 { /type "allow" /glob "GET /etc/tagexplorer.*.json*"    }

    /0105 { /type "allow" /glob "GET /etc/promos.*.json*"    }

    /0106 { /type "allow" /glob "GET /etc/support.*.json*"    }

    /0107 { /type "allow" /glob "GET /etc/knowledge.*.json*"    }

    /0108 { /type "allow" /glob "GET /etc/appcontent.*.json*"    }

    /0109 { /type "allow" /glob "GET /etc/appcontent.*.strings*"    }

    /0110 { /type "allow" /glob "GET /etc/appcontent.*.xml*"    }

    /0111 { /type "allow" /glob "GET /etc/appcontent.*.jsonp*"    }

    /0112 { /type "allow" /glob "GET /etc/appcontent.*.txt*"    }

    /0113 { /type "allow" /glob "GET /etc/adminpage.*.json*"    }

    /0114 { /type "allow" /glob "GET /etc/devices.*.shtml*"    }

  # Implementing the below rules as per the AMSSEC recommendations

    /0120 { /type "deny" /path "/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}

    /0121 { /type "deny" /url "/crx/de/index.jsp" /extension '(css)'}

    /0122 { /type "deny" /url "/crx/explorer/index.jsp" /extension '(css)'}

    # allow rsrc under /rsrc/

    /0130 { /type "allow" /glob "* /rsrc/*" }

    }

  # allow propagation of replication posts (should seldomly be used)

  /propagateSyndPost "0"

  # the cache is used to store requests from the renders for faster delivery

  # for a second time.

  /cache

    {

    # the cacheroot must be equal to the document root of the webserver

    /docroot "/mnt/var/www/html"

    # sets the level upto which files named ".stat" will be created in the

    # document root of the webserver. when an activation request for some

    # handle is received, only files within the same subtree are affected

    # by the invalidation.

    /statfileslevel "2"

    # caches also authorized data

    /allowAuthorized "0"

    # the rules define, which pages should be cached. please note that

    # - only GET requests are cached

    # - only requests with an extension are cached

    # - only requests without query parameters ( ? ) are cached

    # - only unauthorized pages are cached unless allowUnauthorized is set to 1

    /rules

    {

    /0000

      {

      # the globbing pattern to be compared against the url

      # example: *             -> everything

      #        : /foo/bar.*    -> only the /foo/bar documents

      #        : /foo/bar/*    -> all pages below /foo/bar

      #        : /foo/bar[./]* -> all pages below and /foo/bar itself

      #        : *.html        -> all .html files

      /glob "*"

      /type "allow"

      }

    #Prevent dispatcher caching of servlet output

    /0001 { /type deny  /glob "/etc/plans*.json*" }

    /0002 { /type deny  /glob "/etc/devices*.json*" }

    /0003 { /type deny  /glob "/etc/accessories*.json*" }

    /0004 { /type deny  /glob "/etc/tagexplorer*.json*" }

    /0005 { /type deny  /glob "/etc/services*.json*" }

    /0006 { /type deny  /glob "/etc/promos*.json*" }

    /0007 { /type deny  /glob "/etc/support*.json*" }

    /0008 { /type deny  /glob "/etc/knowledge*.json*" }

    /0009 { /type deny  /glob "/etc/appcontent.*.json" }

    /0010 { /type deny  /glob "/etc/appcontent.*.strings" }

    /0011 { /type deny  /glob "/etc/appcontent.*.xml" }

    /0012 { /type deny  /glob "/etc/appcontent.*.jsonp" }

    /0013 { /type deny  /glob "/etc/appcontent.*.txt" }

    /0014 { /type deny  /glob "/etc/adminpage.*.json" }

    /0025 { /type deny  /glob "/etc/devices.productSupport.*" }

    /0026 { /type deny  /glob "/rsrc/sprint/sellabledevices/*" }

    }

          /ignoreUrlParams

                {

                  /0001 { /type allow /glob "*" }

                }

    # the invalidate section defines those pages which are 'invalidated' after

    # any activation. please note that, the activated page itself and all

    # related documents are flushed on an modification. for example: if the

    # page /foo/bar is activated, all /foo/bar.* files are removed from the

    # cache.

    /invalidate

    {

    /0000

      {

      /glob "*"

      /type "deny"

      }

    /0001

      {

      /glob "*.html"

      /type "allow"

      }

    }

    /allowedClients

    {

    /0000

      {

      /glob "*.*.*.*"

      /type "deny"

      }

    $include "publish-invalidate-allowed.any"

    }

  # A grace period defines the number of seconds a stale, auto-invalidated

  # resource may still be served from the cache after the last activation

  # occurring. Auto-invalidated resources are invalidated by any activation,

  # when their path matches the /invalidate section above. This setting

  # can be used in a setup, where a batch of activations would otherwise

  # repeatedly invalidate the entire cache.

  #

  /gracePeriod "2"

    }

  # the statistics define, how the load should be balanced among the renders

  # according to the media-type.

  /statistics

    {

    /categories

    {

    /html

      {

      /glob "*.html"

      }

    /others

      {

      /glob "*"

      }

    }

    }

  }

If you've glob allow * then check the order of "allow" and "deny" for specific urls.

please share your config, if that doesn't work.