blocking /content/dam/.permissions.json?privileges= jcr%3AmodifyAccessControl

rajeshs28932860

28-02-2019

Recently we had our security tests in the platform, where one finding raised critical was the request sent to /content/dam/.permissions.json?privileges= jcr%3AmodifyAccessControl under cross site scripting tampering the request to execute script.

now the question, will there be any impact in author if I block .permissions.json/* requests in dispatcher ? does it affect any functionalities ?

Thank you,

Accepted Solutions (1)

Accepted Solutions (1)

PuzanovsP

MVP

28-02-2019

Hi Rajesh,

There will be other areas that are not used by Content Authors affected too.

One major area, can immedeately see, would be permission/user/group management tool, useradmin, it would completely stop displaying all permissions for specific user/group.

Regards,

Peter

Answers (5)

Answers (5)

rajeshs28932860

28-02-2019

Thanks Peter,

it has major effect for admins, I would take it as not to block since it has its dis effects.

I would raise with Adobe to see what they actually can do about it.

rajeshs28932860

28-02-2019

Hi Peter,

Thanks even I need it for AEM 6.4 SP2

is that the only functionality that affects if I block, rest all will work as expected ? there wont be any issues with user permissions or for authors ?

Thank you,

PuzanovsP

MVP

28-02-2019

Hi Rajesh,

Thank you for your reply,

When you will click on "Create Folder" button in Touch UI Assets broweser, you won't see the checkbox option that say "private", it simply won't be there, due to the fact that AEM could not retieve requests value and due to this it won't be shown.

Please note, have used AEM 6.4 SP2 to get this info.

Regards,

Peter

PuzanovsP

MVP

28-02-2019

Hi Rajesh,

Just to confirm you want to block .permission.json/* endpoint for all your content authors in your AEM author instance?

Regards,

Peter