Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Servlet path error: Resource at '/content/forms/af/geometrixx-gov/application-for-assistance/jcr:content/guideContainer.af.internalsubmit.js' is not modifiable

Avatar

Adobe Champion

Hello I have a question about the below error seen multiple times in our prod logs. Our's is a DAM implementation project. The reason for this error is specified as below:

 

"The actual issue is AEM could not resolve the servlet and assumes it as a resource path but this is not a valid resource path, the below exception will be thrown when AEM tries to set the property values."

 

Can someone help understand if this is a OOB servlet call and how to trace the servlet details? How to fix this error?

 

 

11.08.2021 08:03:41.851 *ERROR* [10.22.1.4 [1628669021846] POST /content/forms/af/geometrixx-gov/application-for-assistance/jcr:content/guideContainer.af.internalsubmit.js HTTP/1.1] org.apache.sling.servlets.post.impl.operations.ModifyOperation Exception during response processing.
org.apache.sling.api.resource.PersistenceException: Resource at '/content/forms/af/geometrixx-gov/application-for-assistance/jcr:content/guideContainer.af.internalsubmit.js' is not modifiable.
at org.apache.sling.servlets.post.impl.helper.SlingPropertyValueHandler.setProperty(SlingPropertyValueHandler.java:114) [org.apache.sling.servlets.post:2.3.26]
at org.apache.sling.servlets.post.impl.operations.ModifyOperation.writeContent(ModifyOperation.java:372) [org.apache.sling.servlets.post:2.3.26]
at org.apache.sling.servlets.post.impl.operations.ModifyOperation.doRun(ModifyOperation.java:93) [org.apache.sling.servlets.post:2.3.26]
at org.apache.sling.servlets.post.impl.operations.AbstractPostOperation.run(AbstractPostOperation.java:99) [org.apache.sling.servlets.post:2.3.26]
at org.apache.sling.servlets.post.impl.SlingPostServlet.doPost(SlingPostServlet.java:228) [org.apache.sling.servlets.post:2.3.26]

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Adobe Champion

@Asutosh_Jena_ @Ritesh_Mittal Just to update my analysis till now. Got to know that this servlet call was not happening from our application code.

The paths in the log were exactly matching the guideContainer paths in here https://github.com/0ang3el/aem-hacker/blob/master/aem_hacker.py 

Got some more information on this from here https://thedarksource.com/aem-testing-by-security-analysts-perspective-manual-and-automated-methods/ . Please check on section 'Main Vulnerabiltiy in AEM Component: GuideInternalSubmitServlet'

So I believe it should be part of some AEM hacker testing or someone was even trying to do this AEM hacker testing on our application. This is my finding. Please shout out if you sense anything else in this scenario.

View solution in original post

3 Replies

Avatar

Community Advisor

Hi @P_V_Nair 

 

Your code(Java or JavaScript) is trying to making POST request to the URL, and if the URL is not available then default sling servlet is called and with POST request it tries to create node/properties which is why you get this error.

 

See here:

https://www.albinsblog.com/2016/06/caused-by-orgapacheslingapiresourcepers-resource-is-not-modifiabl...

 

Thanks!

Avatar

Community Advisor

Hi @P_V_Nair ,

 

This happens when the URL is not accessible. Check 'Apache Sling Servlet/Script Resolver'. Also, check the permission on the JS, is it accessible for the user since it is a POST call.

Avatar

Correct answer by
Adobe Champion

@Asutosh_Jena_ @Ritesh_Mittal Just to update my analysis till now. Got to know that this servlet call was not happening from our application code.

The paths in the log were exactly matching the guideContainer paths in here https://github.com/0ang3el/aem-hacker/blob/master/aem_hacker.py 

Got some more information on this from here https://thedarksource.com/aem-testing-by-security-analysts-perspective-manual-and-automated-methods/ . Please check on section 'Main Vulnerabiltiy in AEM Component: GuideInternalSubmitServlet'

So I believe it should be part of some AEM hacker testing or someone was even trying to do this AEM hacker testing on our application. This is my finding. Please shout out if you sense anything else in this scenario.