Need to block the below access in dispatcher file

vivianseba

24-12-2019

Hi All,

As part of aem_hacker.py reports,requested us block the below access in our application.

bin/querybuilder.json.css
bin/querybuilder.feed.css
ibs/cq/security/userinfo.css
crx/de/index.jsp;%0aa.css


I have tried with the below deny rule in dispatcher.any file and it's not worked

 

  1. { /type "deny"  /url"/bin/querybuilder.feed.css" }
  2. { /type "deny"  /url"/bin/querybuilder.json.servlet;%0aa.css" }
  3. { /type "deny"  /url"/crx/de/index.jsp;%0aa.css" }
  4. { /type "deny" /path "/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}
  5. { /type "deny" /url "*.userinfo.css"}
  6. { /type "deny" /url "/crx/*.css"
  7. { /type "deny" /path "/libs/*" }
  8. { /type "deny" /path "/bin/querybuilder*" }

Could you please suggest with solution to fix the hacker.py report issues ?

Accepted Solutions (1)

Accepted Solutions (1)

ssatwork

17-02-2020

We are also looking for a solution to block the querybuilder on publisher. 

 

We denied access to /bin. But we have to allow few extensions 

 

/0040 { /type "allow" /extension '(css|jpg|gif|ico|js|xml|txt)' }

 

We blocked CSS as below

 

/0120 { /type "deny" /path "/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}

 

However following is accessible on another extension

https://aemsite/bin/querybuilder.json.jpg?path=/etc/cloudservices/application/&p.hits=full&p.lim...

 

Do we have to disallow querybuilder on all extensions which were allowed in /0040 rule. Any thoughts to do this little more deligently. 

 

 

 

 

 

Answers (3)

Answers (3)

Basavaraj_K

01-01-2020

We implemented with below rule to avoid querybuilder execution.

/0001

{
/type "deny"
/path "*/bin/querybuilder*"
/selectors "*"
/extension "*"
}

jbrar

Employee

27-12-2019

You need to make sure there is no other rule that allows thew access as the last dispatcher rule will be honoured. Example:

 

1) You denied access to files as part of a rule

2) If there is a rule below the rule at 1 that allows the access, users will be able to access that file.

 

 

Vish_dhaliwal

Employee

25-12-2019

The following rules have been tested in local setup. Please try below deny rules:

{ /type "deny" /url "/bin/querybuilder*.css" }
{ /type "deny" /url "/crx/*.css" }
{ /type "deny" /url "/bin/querybuilder*.*.css" }

 

Regards,

Vishu