Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

content insight servlet

Avatar

Avatar
Validate 1
Level 2
kartheekd203042
Level 2

Likes

3 likes

Total Posts

19 posts

Correct Reply

1 solution
Top badges earned
Validate 1
Ignite 1
Give Back 3
Give Back
Boost 3
View profile

Avatar
Validate 1
Level 2
kartheekd203042
Level 2

Likes

3 likes

Total Posts

19 posts

Correct Reply

1 solution
Top badges earned
Validate 1
Ignite 1
Give Back 3
Give Back
Boost 3
View profile
kartheekd203042
Level 2

12-07-2018

Hi Experts,

Can anyone help me understand the purpose of the below servlet and what it is used for?

http://localhost:4502/libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet.a.23.css

Our team reported a vulnerability that using this servlet they can perform SSRF attacks and reach to the publisher bypassing the dispatcher.

While restricting it is an immediate measure we have taken but would like to understand the impact of restricting at the dispatcher.

Any inputs or links referring to the original documentation would be of great help

Regards

Kartheek

View Entire Topic

Avatar

Avatar
Boost 5
Employee
lmha
Employee

Likes

16 likes

Total Posts

20 posts

Correct Reply

4 solutions
Top badges earned
Boost 5
Boost 3
Boost 10
Boost 1
Applaud 5
View profile

Avatar
Boost 5
Employee
lmha
Employee

Likes

16 likes

Total Posts

20 posts

Correct Reply

4 solutions
Top badges earned
Boost 5
Boost 3
Boost 10
Boost 1
Applaud 5
View profile
lmha
Employee

03-08-2018

Hi Kartheek,

Apologies for the delay, I was confirming if the information is fine to release to public.

The workaround instead of installing the patch is to:

Change the “Whitelist” value from .*/api[0-9]*.omniture.com/.*  to https?:\/\/api(\d+)?\.omniture\.com(:\d+)?\/rs\/0\.5\/.* within /system/console/configMgr/com.adobe.cq.contentinsight.impl.servlets.ReportingServicesProxyServlet configuration.

Please make sure to upgrade to latest official patch when possible.

Regards,

Lisa