Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

Need to block the below access in dispatcher file

Avatar

Level 2
Level 2
12/24/19 11:29:58 PM

Hi All,

As part of aem_hacker.py reports,requested us block the below access in our application.

bin/querybuilder.json.css
bin/querybuilder.feed.css
ibs/cq/security/userinfo.css
crx/de/index.jsp;%0aa.css


I have tried with the below deny rule in dispatcher.any file and it's not worked

 

  1. { /type "deny"  /url"/bin/querybuilder.feed.css" }
  2. { /type "deny"  /url"/bin/querybuilder.json.servlet;%0aa.css" }
  3. { /type "deny"  /url"/crx/de/index.jsp;%0aa.css" }
  4. { /type "deny" /path "/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}
  5. { /type "deny" /url "*.userinfo.css"}
  6. { /type "deny" /url "/crx/*.css"
  7. { /type "deny" /path "/libs/*" }
  8. { /type "deny" /path "/bin/querybuilder*" }

Could you please suggest with solution to fix the hacker.py report issues ?

Views

7.4K

Replies

8
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 2
Level 2
2/17/20 8:27:33 AM

We are also looking for a solution to block the querybuilder on publisher. 

 

We denied access to /bin. But we have to allow few extensions 

 

/0040 { /type "allow" /extension '(css|jpg|gif|ico|js|xml|txt)' }

 

We blocked CSS as below

 

/0120 { /type "deny" /path "/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}

 

However following is accessible on another extension

https://aemsite/bin/querybuilder.json.jpg?path=/etc/cloudservices/application/&p.hits=full&p.lim...

 

Do we have to disallow querybuilder on all extensions which were allowed in /0040 rule. Any thoughts to do this little more deligently. 

 

 

 

 

 

View solution in original post

Views

5.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
8 Replies

Avatar

Employee
Employee
12/25/19 6:38:22 AM

The following rules have been tested in local setup. Please try below deny rules:

{ /type "deny" /url "/bin/querybuilder*.css" }
{ /type "deny" /url "/crx/*.css" }
{ /type "deny" /url "/bin/querybuilder*.*.css" }

 

Regards,

Vishu

Views

5.4K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
12/26/19 11:16:50 AM
In response to Vish_dhaliwal
Hi Vishu, it may not be just css extension and not just querybuilder servlet. It could be all the allowed extensions like js, png etc combined with the servlet Url

Views

5.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
12/27/19 12:42:48 PM

You need to make sure there is no other rule that allows thew access as the last dispatcher rule will be honoured. Example:

 

1) You denied access to files as part of a rule

2) If there is a rule below the rule at 1 that allows the access, users will be able to access that file.

 

 

Views

4.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
1/1/20 2:12:56 AM

We implemented with below rule to avoid querybuilder execution.

/0001

{
/type "deny"
/path "*/bin/querybuilder*"
/selectors "*"
/extension "*"
}

Views

5.4K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
1/2/20 1:52:15 AM
In response to Basavaraj_K

Nice one, are you going to do the same for all the other exposed servlets
/libs/cq/security/userinfo
/libs/granite/security/currentuser

etc which can also be hacked above the deny rule with an extension or selector rules

Views

5.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 2
Level 2
2/17/20 8:27:33 AM

We are also looking for a solution to block the querybuilder on publisher. 

 

We denied access to /bin. But we have to allow few extensions 

 

/0040 { /type "allow" /extension '(css|jpg|gif|ico|js|xml|txt)' }

 

We blocked CSS as below

 

/0120 { /type "deny" /path "/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}

 

However following is accessible on another extension

https://aemsite/bin/querybuilder.json.jpg?path=/etc/cloudservices/application/&p.hits=full&p.lim...

 

Do we have to disallow querybuilder on all extensions which were allowed in /0040 rule. Any thoughts to do this little more deligently. 

 

 

 

 

 

Views

5.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 6
Level 6
4/28/21 9:46:52 AM

Hi @vivianseba ,

 

Some of these rules can still be bypassed by putting multiple slashes in the URL.

 

As per Adobe documentation: 

In Dispatcher versions later than 4.2.0, you can include POSIX Extended Regular Expressions in your filter patterns.

 

You might want to try something similar to the below rule (This takes care of the URL part. You can add extension if needed):

{ /type "deny" /url '([/]+bin[/]+querybuilder(.*))' }

 

As rightly mentioned earlier, a higher number in dispatcher doesn't mean higher priority. The rule that comes last always takes effect. So it is better to structure the filters in a way that there is nothing that allows these paths later on.

 

Thanks,

Ram

Views

3.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Reg: Video Smartcrops in AEM 6.5

Views

48

Likes

0

Replies

1
Core Carousel component slides stacking one below the other

Views

84

Likes

0

Replies

3
I am getting errors while building the code taken from wknd git clone

Views

104

Likes

0

Replies

4
Custom index in AEMaaCS environment appeared like it might be causing problem with OOTB query, but updating the index didn't fix it

Views

147

Likes

0

Replies

9
Could not log in with my Adobe account after de-hibernating

Views

71

Likes

0

Replies

3