Need to block the below access in dispatcher file

Avatar

Avatar
Validate 1
Level 1
vivianseba
Level 1

Likes

0 likes

Total Posts

20 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Give Back
View profile

Avatar
Validate 1
Level 1
vivianseba
Level 1

Likes

0 likes

Total Posts

20 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Give Back
View profile
vivianseba
Level 1

24-12-2019

Hi All,

As part of aem_hacker.py reports,requested us block the below access in our application.

bin/querybuilder.json.css
bin/querybuilder.feed.css
ibs/cq/security/userinfo.css
crx/de/index.jsp;%0aa.css


I have tried with the below deny rule in dispatcher.any file and it's not worked

 

  1. { /type "deny"  /url"/bin/querybuilder.feed.css" }
  2. { /type "deny"  /url"/bin/querybuilder.json.servlet;%0aa.css" }
  3. { /type "deny"  /url"/crx/de/index.jsp;%0aa.css" }
  4. { /type "deny" /path "/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}
  5. { /type "deny" /url "*.userinfo.css"}
  6. { /type "deny" /url "/crx/*.css"
  7. { /type "deny" /path "/libs/*" }
  8. { /type "deny" /path "/bin/querybuilder*" }

Could you please suggest with solution to fix the hacker.py report issues ?

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Boost 1
Level 1
ssatwork
Level 1

Like

1 like

Total Posts

1 post

Correct reply

1 solution
Top badges earned
Boost 1
Affirm 1
View profile

Avatar
Boost 1
Level 1
ssatwork
Level 1

Like

1 like

Total Posts

1 post

Correct reply

1 solution
Top badges earned
Boost 1
Affirm 1
View profile
ssatwork
Level 1

17-02-2020

We are also looking for a solution to block the querybuilder on publisher. 

 

We denied access to /bin. But we have to allow few extensions 

 

/0040 { /type "allow" /extension '(css|jpg|gif|ico|js|xml|txt)' }

 

We blocked CSS as below

 

/0120 { /type "deny" /path "/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}

 

However following is accessible on another extension

https://aemsite/bin/querybuilder.json.jpg?path=/etc/cloudservices/application/&p.hits=full&p.lim...

 

Do we have to disallow querybuilder on all extensions which were allowed in /0040 rule. Any thoughts to do this little more deligently. 

 

 

 

 

 

Answers (4)

Answers (4)

Avatar

Avatar
Ignite 1
Level 3
rampai
Level 3

Likes

25 likes

Total Posts

54 posts

Correct reply

9 solutions
Top badges earned
Ignite 1
Validate 1
Give Back 5
Give Back 3
Give Back 10
View profile

Avatar
Ignite 1
Level 3
rampai
Level 3

Likes

25 likes

Total Posts

54 posts

Correct reply

9 solutions
Top badges earned
Ignite 1
Validate 1
Give Back 5
Give Back 3
Give Back 10
View profile
rampai
Level 3

28-04-2021

Hi @vivianseba ,

 

Some of these rules can still be bypassed by putting multiple slashes in the URL.

 

As per Adobe documentation: 

In Dispatcher versions later than 4.2.0, you can include POSIX Extended Regular Expressions in your filter patterns.

 

You might want to try something similar to the below rule (This takes care of the URL part. You can add extension if needed):

{ /type "deny" /url '([/]+bin[/]+querybuilder(.*))' }

 

As rightly mentioned earlier, a higher number in dispatcher doesn't mean higher priority. The rule that comes last always takes effect. So it is better to structure the filters in a way that there is nothing that allows these paths later on.

 

Thanks,

Ram

Avatar

Avatar
Give Back
Level 2
Basavaraj_K
Level 2

Likes

5 likes

Total Posts

6 posts

Correct reply

1 solution
Top badges earned
Give Back
Boost 5
Boost 3
Boost 1
Affirm 1
View profile

Avatar
Give Back
Level 2
Basavaraj_K
Level 2

Likes

5 likes

Total Posts

6 posts

Correct reply

1 solution
Top badges earned
Give Back
Boost 5
Boost 3
Boost 1
Affirm 1
View profile
Basavaraj_K
Level 2

01-01-2020

We implemented with below rule to avoid querybuilder execution.

/0001

{
/type "deny"
/path "*/bin/querybuilder*"
/selectors "*"
/extension "*"
}

Avatar

Avatar
Coach
Employee
jbrar
Employee

Likes

389 likes

Total Posts

869 posts

Correct reply

283 solutions
Top badges earned
Coach
Establish
Give Back 50
Give Back 5
Give Back 3
View profile

Avatar
Coach
Employee
jbrar
Employee

Likes

389 likes

Total Posts

869 posts

Correct reply

283 solutions
Top badges earned
Coach
Establish
Give Back 50
Give Back 5
Give Back 3
View profile
jbrar
Employee

27-12-2019

You need to make sure there is no other rule that allows thew access as the last dispatcher rule will be honoured. Example:

 

1) You denied access to files as part of a rule

2) If there is a rule below the rule at 1 that allows the access, users will be able to access that file.

 

 

Avatar

Avatar
Give Back 50
Employee
Vish_dhaliwal
Employee

Likes

189 likes

Total Posts

356 posts

Correct reply

123 solutions
Top badges earned
Give Back 50
Give Back 5
Give Back 3
Give Back 25
Give Back 10
View profile

Avatar
Give Back 50
Employee
Vish_dhaliwal
Employee

Likes

189 likes

Total Posts

356 posts

Correct reply

123 solutions
Top badges earned
Give Back 50
Give Back 5
Give Back 3
Give Back 25
Give Back 10
View profile
Vish_dhaliwal
Employee

25-12-2019

The following rules have been tested in local setup. Please try below deny rules:

{ /type "deny" /url "/bin/querybuilder*.css" }
{ /type "deny" /url "/crx/*.css" }
{ /type "deny" /url "/bin/querybuilder*.*.css" }

 

Regards,

Vishu