Expand my Community achievements bar.

Hackers found vulnerabilities with 'form' selector

Avatar

Level 7
Level 7
3/14/24 2:31:30 PM

 

hi folks,

 

Hackers told us that they can access various urls using a selector "form".

We don't have AEM forms so I am just going to get rid of this selector like this,

I assume this is o.k.?

 

/0xxx { /type "deny" /url "*" /selectors 'form' }

 

The hackers told us they could download a truststore file with this url below. However if i look in our Tools -> Security -> Trust store  UI,

it is empty as I never put anything into it.

 

https://www.xxxxx.com/content/dam/jcr:content.form.pdf/etc/truststore/truststore.p12.res

 

Do you reckon the file is just   junk? It is just 1K file and looks like Chinese chars.

 

thanks all

Views

262

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
5 Replies

Avatar

Community Advisor
Community Advisor
3/14/24 5:44:18 PM

Yes, The above rule will work to deny any requests or block requests with the 'form' selector.

 

Did you get a chance to check the logs to get more details on the hackers URL - find out how they were able to download a trust store file.

Generaly - The truststore file is used to store certificates that the client trusts. If you haven't added any certificates to it, it should be empty. However, it's concerning that hackers were able to download it. Even if it's empty, it's a security risk to expose it.

Check your dispatcher and AEM configurations to ensure that they don't allow unauthorized access to sensitive paths like /etc/truststore path.

Views

230

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 7
Level 7
3/15/24 3:08:59 AM
In response to SureshDhulipudi

Thanks Suresh, 

They seem to be able to use the .form. selector to break into the system.

I don't know why that selector allows it.

I don't know if blocking the .form. selector would break AEM forms if you had them(we don't)

Once I block the .form. selector, they can't get at /etc/truststore anymore.

I will try to add some extra rules for /etc/truststore also.

Views

204

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
3/15/24 4:37:06 AM

HI @fionas76543059 
Generally, we denied everything and only whitelist what should be allowed in the filter files

e.g. https://github.com/arunpatidar02/aemaacs-aemlab/blob/master/dispatcher.cloud/src/conf.dispatcher.d/f...

 

you can disable all the other rules if not in used.



Arun Patidar

Views

193

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 1
Level 1
4/4/24 3:03:20 AM

But still urls like -  test.pdf/jcr:content.form./crx/packmgr/service.jsp/file.res/file.zip will be allowed 

since it's the suffix here

suffix : /jcr:content.form./crx/packmgr/service.jsp/file.res/file.zip

 

Views

98

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
4/4/24 5:05:25 AM
In response to ANEESHUN

Hi @ANEESHUN 
You can block this paths using rewrite rules

 

Example:

RewriteRule ^(.+)\.pdf/.*$ $1.pdf [L,R=301]

 



Arun Patidar

Views

70

Replies

0
Sign in to like this content

Total Likes

Translate
Translate