Expand my Community achievements bar.

SOLVED

how does aem prevents sql injection?

Avatar

Level 4

how does aem prevents sql injection?

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

You should be fine, using JCR_SQL2 is read only which means that you can only use the "SELECT" keyword.

View solution in original post

10 Replies

Avatar

Community Advisor

Please note that JCR SQL injections != RDBMS SQL injections. SQL in JCR is strictly read-only. As far as it is possible to manipulate a query the only risk is information leakage. No data can be manipulated as is the case with RDBMSes.

 



Arun Patidar

Avatar

Correct answer by
Community Advisor

You should be fine, using JCR_SQL2 is read only which means that you can only use the "SELECT" keyword.

Avatar

Level 2

Hi 

How can we prevent blind XPath injection for an AEM page??

 

Thanks

 

Avatar

Level 1

I have got a similar vulnerbility in our latest report. Did you find any solution for this?

Avatar

Level 1

Thanks @arunpatidar for the response. Does this mean we can ignore the critical vulnerbility in our latest report?

Avatar

Community Advisor

Hi @KiranVe1 
Yes, you can't update/write on AEM if you don't have permission, and by design there is only read permission for queries.

So you can ignore it.



Arun Patidar