Hackers found vulnerabilities with 'form' selector | Community
Skip to main content
F
fionas76543059
Level 6
March 14, 2024

Hackers found vulnerabilities with 'form' selector

  • March 14, 2024
  • 4 replies
  • 1960 views

 

hi folks,

 

Hackers told us that they can access various urls using a selector "form".

We don't have AEM forms so I am just going to get rid of this selector like this,

I assume this is o.k.?

 

/0xxx { /type "deny" /url "*" /selectors 'form' }

 

The hackers told us they could download a truststore file with this url below. However if i look in our Tools -> Security -> Trust store  UI,

it is empty as I never put anything into it.

 

https://www.xxxxx.com/content/dam/jcr:content.form.pdf/etc/truststore/truststore.p12.res

 

Do you reckon the file is just   junk? It is just 1K file and looks like Chinese chars.

 

thanks all

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

4 replies

SureshDhulipudi
Community Advisor
SureshDhulipudiCommunity Advisor
Community Advisor
March 15, 2024

Yes, The above rule will work to deny any requests or block requests with the 'form' selector.

 

Did you get a chance to check the logs to get more details on the hackers URL - find out how they were able to download a trust store file.

Generaly - The truststore file is used to store certificates that the client trusts. If you haven't added any certificates to it, it should be empty. However, it's concerning that hackers were able to download it. Even if it's empty, it's a security risk to expose it.

Check your dispatcher and AEM configurations to ensure that they don't allow unauthorized access to sensitive paths like /etc/truststore path.

    F
    fionas76543059Author
    Level 6
    March 15, 2024

    Thanks Suresh, 

    They seem to be able to use the .form. selector to break into the system.

    I don't know why that selector allows it.

    I don't know if blocking the .form. selector would break AEM forms if you had them(we don't)

    Once I block the .form. selector, they can't get at /etc/truststore anymore.

    I will try to add some extra rules for /etc/truststore also.

      arunpatidar
      Community Advisor
      arunpatidarCommunity Advisor
      Community Advisor
      March 15, 2024

      HI @fionas76543059 
      Generally, we denied everything and only whitelist what should be allowed in the filter files

      e.g. https://github.com/arunpatidar02/aemaacs-aemlab/blob/master/dispatcher.cloud/src/conf.dispatcher.d/filters/default_filters.any

       

      you can disable all the other rules if not in used.

      Arun Patidar
        A
        ANEESHUN
        April 4, 2024

        But still urls like -  test.pdf/jcr:content.form./crx/packmgr/service.jsp/file.res/file.zip will be allowed 

        since it's the suffix here

        suffix : /jcr:content.form./crx/packmgr/service.jsp/file.res/file.zip

         

          arunpatidar
          Community Advisor
          arunpatidarCommunity Advisor
          Community Advisor
          April 4, 2024

          Hi @aneeshun 
          You can block this paths using rewrite rules

           

          Example:

          RewriteRule ^(.+)\.pdf/.*$ $1.pdf [L,R=301]

           

          Arun Patidar
            kautuk_sahni
            Community Manager
            kautuk_sahniCommunity Manager
            Community Manager
            May 16, 2024

            @fionas76543059 Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

            Kautuk Sahni
            Terms & ConditionsAccessibility statement

            Loading footer...