Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Help required to avoid the bypassing of access control restrictions

Avatar

Level 1

Hi team!

During the recent bug bounty, We identified that hackers can bypass the AEM dispatcher rules and can access the jcr:node data and other sensitive information.
Below are the few patterns/urls bypassing the authentication and lead to access the sensitive data

https://www-qa1.salesforce.com/etc.clientlibs/dam/clientlibs/assetinsights/pagetracker.js/.%7D./.%7D...
http://answers.salesforce.com/etc.clientlibs/dam/clientlibs/assetinsights/pagetracker.js/.%7D./.%7D....

http://answers.salesforce.com/etc.clientlibs/dam/clientlibs/assetinsights/pagetracker.js//.%7D./.%7D...
http://answers.salesforce.com/etc/segmentation/sfdc-www.segment.js/jcr:content/%5b.%5b./%5B.%5b./%5b... (fixed in prod. Added just for reference)

We added a few rules at dispatcher rules to disallow these kinds of path traversals as below.

RewriteCond %{REQUEST_URI} ^(.*)\/[.%5B](?i).*
RewriteRule .+ "-" [R=404,L]'


RewriteCond %{REQUEST_URI} ^(.*)\/[.%7D](?i).*
RewriteRule .+ "-" [R=404,L]'


Query/Help required: Please let me know any other known patterns which bypass the dispatcher rules and cause the serious/dangerous path traversal and data leakage. We will handle them at dispatcher level.

Question: How do %7D, %5B bypass the dispatcher rules and cause the data leakage? Please help us to understand the internal logic behind these unicodes chars.
0 Replies