Is AEM author vulnerable to OWASP Unrestricted File Upload | Community
Skip to main content
A
Anonymous
June 28, 2019

Is AEM author vulnerable to OWASP Unrestricted File Upload

  • June 28, 2019
  • 2 replies
  • 3784 views

Hello,
I was reading about the OWASP Top Ten and was wondering if the AEM Author is vulnerable to the Unrestricted File Upload vulnerability.
Here is my understanding: Taking into account that in AEM Author we have the DAM file upload, we have here a possible candidate for an OWASP Unrestricted File Upload. But since the access to the DAM file upload is restricted to trusted users, although the only possible prevention to this is the mime types whitelisting in OSGi Web Console, should this still be considered an Unrestricted File Upload vulnerability without other more advanced checkings (i.e. file upload frequency, file magic number checking)?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

2 replies

H
Adobe Employee
Hamid1350Adobe Employee
Adobe Employee
June 28, 2019

You may want to check the following document:

OWASP Top 10

Note: I dont see Unrestricted File Upload listed in OWASP Top Ten

A
Anonymous
June 28, 2019

You are right regarding the unrestricted file upload not being listed in the OWASP Top Ten but I would like to know if AEM mitigates this vulnerability

H
Adobe Employee
Hamid1350Adobe Employee
Adobe Employee
June 28, 2019

Based on CVE reports for AEM security vulnerabilities, AEM should not be vulnerable to unrestricted file upload

https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-33138/Adobe-Experience-Manager.html

    joerghoh
    Adobe Employee
    joerghohAdobe Employee
    Adobe Employee
    June 29, 2019

    You mean the "problem", that every authenticated user with write access to /content/dam can upload binary files with not that much control, what actually is uploaded?

    Is that an actual vulnerability? And if it's a vulnerability, how would you prevent it without removing the ability to upload binaries alltogether?

    A
    Anonymous
    July 1, 2019

    Yes, the case in which an authenticated user can write anything to /content/dam. According to the OWASP https://www.owasp.org/index.php/Unrestricted_File_Upload this is considered a vulnerability. But since just authenticated users can upload files I was wondering if it it still considered a vulnerability.

    Regarding the countermeasure for that issue would be to have a processor in the sling request filter chain to handle the file upload checking, having then a way to check the mimetype if its allowed, if the file magic number is the same as in the mimetype and other validations that may be relevant

    joerghoh
    Adobe Employee
    joerghohAdobe Employee
    Adobe Employee
    July 1, 2019

    If a user could not upload binary data to a Digital Asset Management system, what would be the purpose of this system then? You could use the same argument with Dropbox or any other storage service.

    If I understand the linked OWASP page correctly, the biggest issue with the upload is the case that this binary might get executed on the server. And from what I know and understand, AEM is not affected by such a problem.

      Terms & ConditionsAccessibility statement

      Loading footer...