Adobe Experience Manager Sites & More

afanot · 3/19/24

Good morning,
we maintain an AEM site for one of our customers. It runs on AEM 6.5 with sp19.
Another consulting company conducted a WAPT on the site.
While calling a service exposed by a servlet implemented in our code base, they faced an error. They said that the error is not properly handled because can reveal informations that can be used by an attacker.
These are the texts shown in the response page:
HTTP ERROR 403 Forbidden
URI: /content/mysite/some_path/_jcr_content/service.json
STATUS: 403
MESSAGE: Forbidden
SERVLET: org.apache.felix.http.base.internal.dispatch.DispatcherServlet-20a53b01

The information that should not be exposed here is the last row about DispatcherServlet.

This is the error I find in error.log
04.03.2024 10:49:33.194 *INFO* [qtp409487897-61] org.apache.sling.security.impl.ReferrerFilter Rejected referrer header for POST request to /content/mysite/some_path/_jcr_content/service.json : https://mydomain.com/content/mysite/some_path/some_page.html

Can you tell us how we can fix the problem hiding such details about DispatcherServlet ?

We already have a custom 404 page implemented at this path /apps/sling/servlet/errorhandler/404.html
We already tried implementing a 403 page at the same path (/apps/sling/servlet/errorhandler/403.html) but the custom 403 page we created is not called, we still have the message I showed before.

I don' t know if the problem is the fact that there is no /libs/sling/servlet/errorhandler/403.jsp in /libs to overlay.

The 403 page we want to implement should manage any 403 error that comes up anyway I specified "for rejected referrer" because this is the case that has been brought to our attention.

Best regards.

arunpatidar · 3/19/24

Hi @afanot
Why are you allowing all .json request reached to publisher. It should be blocked from dispatcher using filter.

So you deny everything and then allow what suppose to reach publishers.

Example : https://github.com/arunpatidar02/aemaacs-aemlab/blob/master/dispatcher.cloud/src/conf.dispatcher.d/f...

Use dispatcher for error handling:

https://github.com/arunpatidar02/aemaacs-aemlab/blob/e31fc62bfd147e56ecaca740c6e2739c66c75f75/dispat...

Arun Patidar

View solution in original post

arunpatidar · 3/19/24

Hi @afanot
Why are you allowing all .json request reached to publisher. It should be blocked from dispatcher using filter.

So you deny everything and then allow what suppose to reach publishers.

Example : https://github.com/arunpatidar02/aemaacs-aemlab/blob/master/dispatcher.cloud/src/conf.dispatcher.d/f...

Use dispatcher for error handling:

https://github.com/arunpatidar02/aemaacs-aemlab/blob/e31fc62bfd147e56ecaca740c6e2739c66c75f75/dispat...

Arun Patidar

afanot · 3/20/24

I thank both for for you replies.

@arunpatidar
Regarding json, the service I was talking about accepts data in that format so we have rules in dispatcher.any that allow json.
Maybe we can set more strict rules but I don' t think that the problem is due to those rules. I' m comparing the request they gave us to reproduce the problem in Postman with the one I obtain from the page with the browser that doesn' t cause the error. Even if the error is about the referrer, what I noticed since the begginnig, with great surprise, is that the referrer in the two requests is the same.
Maybe the error it is caused by another header parameter but I haven' t found it yet.
We already have ErrorDocument directives in httpd.conf for 403 and 404 errors. But in this case the page displayed is another page that maybe is handled by Sling.

@EstebanBustamante

I will check the page you suggested.

arunpatidar · 3/20/24

Hi @afanot

You should deny .json but enable only with some selector and GET method type

e.g. /content/mysite/some_path.serviceName.json

This would restrict all POST and GET except your service call with GET

Arun Patidar

afanot · 3/25/24

Hi @arunpatidar and @EstebanBustamante ,

we are going to imlpement page 403 and 404 at dispatcher level with

ErrorDocument instruction.
We already had that instruction for 404 error but it wasn' t working because DispatcherPassError was set to 0.

Thank again for your suggestions.

Best regards.

EstebanBustamante · 3/19/24

Hi,

You should have an error handler for any 403 error. You can implement this at different layers of your architecture.

You could use it at the dispatcher layer, as Arun has shared the snippet.
You could do it at the Sling level.
You could even do it at the component level.

Please check this article, which explains in detail how to handle these scenarios: https://blog.3sharecorp.com/error-handling-in-aem

Hope this helps

Esteban Bustamante

kautuk_sahni · 3/20/24

@afanot Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

Adobe Experience Manager Sites & More

Overlay 403 error page for rejected referrer

Arun Patidar

Arun Patidar

Arun Patidar

Esteban Bustamante

Kautuk Sahni

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe