Need to block the below access in dispatcher file | Community
Skip to main content
V
vivianseba
Level 2
December 25, 2019
Solved

Need to block the below access in dispatcher file

  • December 25, 2019
  • 5 replies
  • 8419 views

Hi All,

As part of aem_hacker.py reports,requested us block the below access in our application.

bin/querybuilder.json.css
bin/querybuilder.feed.css
ibs/cq/security/userinfo.css
crx/de/index.jsp;%0aa.css


I have tried with the below deny rule in dispatcher.any file and it's not worked

 

  1. { /type "deny"  /url"/bin/querybuilder.feed.css" }
  2. { /type "deny"  /url"/bin/querybuilder.json.servlet;%0aa.css" }
  3. { /type "deny"  /url"/crx/de/index.jsp;%0aa.css" }
  4. { /type "deny" /path "/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}
  5. { /type "deny" /url "*.userinfo.css"}
  6. { /type "deny" /url "/crx/*.css"
  7. { /type "deny" /path "/libs/*" }
  8. { /type "deny" /path "/bin/querybuilder*" }

Could you please suggest with solution to fix the hacker.py report issues ?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by ssatwork

We are also looking for a solution to block the querybuilder on publisher. 

 

We denied access to /bin. But we have to allow few extensions 

 

/0040 { /type "allow" /extension '(css|jpg|gif|ico|js|xml|txt)' }

 

We blocked CSS as below

 

/0120 { /type "deny" /path "/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}

 

However following is accessible on another extension

https://aemsite/bin/querybuilder.json.jpg?path=/etc/cloudservices/application/&p.hits=full&p.limit=-100

 

Do we have to disallow querybuilder on all extensions which were allowed in /0040 rule. Any thoughts to do this little more deligently. 

 

 

 

 

 

5 replies

V
Adobe Employee
vish.dhaliwalAdobe Employee
Adobe Employee
December 25, 2019

The following rules have been tested in local setup. Please try below deny rules:

{ /type "deny" /url "/bin/querybuilder*.css" }
{ /type "deny" /url "/crx/*.css" }
{ /type "deny" /url "/bin/querybuilder*.*.css" }

 

Regards,

Vishu

    Nirmal_Jose
    Adobe Employee
    Nirmal_JoseAdobe Employee
    Adobe Employee
    December 26, 2019
    Hi Vishu, it may not be just css extension and not just querybuilder servlet. It could be all the allowed extensions like js, png etc combined with the servlet Url
      U
      Adobe Employee
      user05162Adobe Employee
      Adobe Employee
      December 27, 2019

      You need to make sure there is no other rule that allows thew access as the last dispatcher rule will be honoured. Example:

       

      1) You denied access to files as part of a rule

      2) If there is a rule below the rule at 1 that allows the access, users will be able to access that file.

       

       

        Basavaraj_K
        Basavaraj_K
        Level 2
        January 1, 2020

        We implemented with below rule to avoid querybuilder execution.

        /0001

        {
        /type "deny"
        /path "*/bin/querybuilder*"
        /selectors "*"
        /extension "*"
        }

          Nirmal_Jose
          Adobe Employee
          Nirmal_JoseAdobe Employee
          Adobe Employee
          January 2, 2020

          Nice one, are you going to do the same for all the other exposed servlets
          /libs/cq/security/userinfo
          /libs/granite/security/currentuser

          etc which can also be hacked above the deny rule with an extension or selector rules

            S
            ssatworkAccepted solution
            Level 2
            February 17, 2020

            We are also looking for a solution to block the querybuilder on publisher. 

             

            We denied access to /bin. But we have to allow few extensions 

             

            /0040 { /type "allow" /extension '(css|jpg|gif|ico|js|xml|txt)' }

             

            We blocked CSS as below

             

            /0120 { /type "deny" /path "/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}

             

            However following is accessible on another extension

            https://aemsite/bin/querybuilder.json.jpg?path=/etc/cloudservices/application/&p.hits=full&p.limit=-100

             

            Do we have to disallow querybuilder on all extensions which were allowed in /0040 rule. Any thoughts to do this little more deligently. 

             

             

             

             

             

              rampai
              Community Advisor
              rampaiCommunity Advisor
              Community Advisor
              April 28, 2021

              Hi @vivianseba ,

               

              Some of these rules can still be bypassed by putting multiple slashes in the URL.

               

              As per Adobe documentation: 

              In Dispatcher versions later than 4.2.0, you can include POSIX Extended Regular Expressions in your filter patterns.

               

              You might want to try something similar to the below rule (This takes care of the URL part. You can add extension if needed):

              { /type "deny" /url '([/]+bin[/]+querybuilder(.*))' }

               

              As rightly mentioned earlier, a higher number in dispatcher doesn't mean higher priority. The rule that comes last always takes effect. So it is better to structure the filters in a way that there is nothing that allows these paths later on.

               

              Thanks,

              Ram

                Terms & ConditionsAccessibility statement

                Loading footer...