Expand my Community achievements bar.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now

Mark Solution

This conversation has been locked due to inactivity. Please create a new post.

SOLVED

Making QueryBuilderFeedServlet private

Avatar

Level 2
Level 2
7/27/23 2:30:26 PM

After doing a vulnerability scan we found the following vulnerability. How can I make the page not publicly accessible? It doesn't even mention what the page address is for this. I'm trying to find references to the servlet right now but am having a hard time. 

 

Adobe Experience Manager QueryBuilderFeedServlet page is publicly accessible. Sensitive information might be exposed via AEM's QueryBuilderFeedServlet.

 

Views

828

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
7/27/23 7:44:53 PM
In response to Kerryu1

@Kerryu1 Please check the below post which has the similar query

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/should-not-respond-to-get-...

 

you can try like this in your dispatcher filter rules, "wknd" is sample site

 

##This rule must be the last rule to block content grabbing in all paths
/9997 { /type "deny" /url "/content/dam/*" /suffix "*/bin/querybuilder.json*"}
/9998 { /type "deny" /url "/content/wknd/*" /suffix "*/bin/querybuilder.json*"}

  

View solution in original post

Views

814

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Level 2
Level 2
7/27/23 2:32:38 PM

Update: I found the feed to be accessible via '/bin/querybuilder.feed' url. What would be the best approach to making this private? I don't know if it's a crucial endpoint for end users or not as well.

Views

825

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Community Advisor
Community Advisor
7/27/23 7:44:53 PM
In response to Kerryu1

@Kerryu1 Please check the below post which has the similar query

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/should-not-respond-to-get-...

 

you can try like this in your dispatcher filter rules, "wknd" is sample site

 

##This rule must be the last rule to block content grabbing in all paths
/9997 { /type "deny" /url "/content/dam/*" /suffix "*/bin/querybuilder.json*"}
/9998 { /type "deny" /url "/content/wknd/*" /suffix "*/bin/querybuilder.json*"}

  

Views

815

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
If I am making the checkbox default checked, on some existing pages checkbox is not showing checked Solved

Views

252

Likes

0

Replies

1
AEMaaCS / EDS - Making cdn.yaml configs scalable Solved

Views

441

Likes

0

Replies

3
Make context aware config field value dynamic. Solved

Views

713

Likes

0

Replies

7
How to unlock the default metadata in aem cloud and make the title and description fields as mandatory without creating a custom metadata schema. Solved

Views

367

Likes

0

Replies

1
[beginner] Curl command gives a 302 error instead of 200 response while trying to fetch content fragment and making changes Solved

Views

731

Likes

0

Replies

3