Are there any /bin/* urls that are at security risk in AEM?

yogeshVaidya

09-07-2019

I am allowing all of the URLs starting with /bin in my dispatcher setup. I am also using various servlets with different extensions (.txt, .xml). I found out that my dispatcher is exposing querybuilder's .json URL.  I have followed the dispatcher security checklist but it doesn't have the /bin/* URLs in the checklist. I am looking for a recommended approach for blocking /bin/* URLs.

Accepted Solutions (1)

Accepted Solutions (1)

Jörg_Hoh

Employee

09-07-2019

Blocking the url pattern "/bin/*" on author will break authoring functionality. But that's only true for authoring.

On publish requests should only happen to resourcetypes, thus only requests hitting "/content" plus maybe "/etc" should be necessary. That's also a reason why you should never bind servlets to paths directly: It will make your live much easier if you need to secure your instances.

Jörg

Answers (6)

Answers (6)

jbrar

Employee

09-07-2019

If you are using dispatcher in front of the author, then you still need to allow "/bin" but for production publish instance the approach you mentioned looks good, block "/bin" and then allow project specific servlets.

That being said, still, I would recommend you perform testing to make sure there is no operation on publish instance that requires users to make a POST call to OOTB servlets under "/bin"

yogeshVaidya

09-07-2019

Hi Jaydeep,

I believe requests like ​ http://localhost:4502/bin/wcmcommand​ are used internally by AEM and thus I want to block those request on dispatcher as I don't the user to access these internal requests via public URL. I do have the rule that you have mentioned but. I want to block all URLs other than my own servlets via dispatcher as I want to expose my servlet only on public URL.
I am looking for a standard approach/best practice. I had thought of serving all of my servlets via /bin/project_name/* then blocking /bin/* and later allowing /bin/project_name/* This will block all the servlets via bin except the /bin/project_name/ servlets. But I am not sure if this is a standard approach for servlets.

jbrar

Employee

09-07-2019

As far as i know, most of the AEM servlets are being served from "/bin" Example:

http://localhost:4502/bin/wcmcommand

This is used whenever you perform any page related operations. So, I highly advise against blocking "/bin"

You should be allowing it as per the URL below as per the dispatcher configuration doc at [1]

/0022 { /type "allow" /url "/bin/*" }

[1] Configuring Dispatcher

yogeshVaidya

09-07-2019

Hi Anuj,

though there are no nodes, I found that it http://localhost:4502/bin/querybuilder.json?path=/content_Path&type=cq:Page&p.limit=-1 this query builder's servlet was exposed over the dispatcher. I am looking for other servlets of AEM similar to query builder's servlet which are exposing data.

anujg3325839

09-07-2019

Hi

The /bin folder is an empty one, and it does not contain any node default from AEM. It is given for the custom development just in case some developer wants to use it for there servlet. hence no security issue from default AEM perspective. But if you are planning to use it and add some stuff in it for internal use, you can block it on the dispatcher. else you can leave it as it does not contain anything.

Thx, Anuj