Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

Servlet path error: Resource at '/content/forms/af/geometrixx-gov/application-for-assistance/jcr:content/guideContainer.af.internalsubmit.js' is not modifiable

P_V_Nair
Level 2
Level 2

Hello I have a question about the below error seen multiple times in our prod logs. Our's is a DAM implementation project. The reason for this error is specified as below:

 

"The actual issue is AEM could not resolve the servlet and assumes it as a resource path but this is not a valid resource path, the below exception will be thrown when AEM tries to set the property values."

 

Can someone help understand if this is a OOB servlet call and how to trace the servlet details? How to fix this error?

 

 

11.08.2021 08:03:41.851 *ERROR* [10.22.1.4 [1628669021846] POST /content/forms/af/geometrixx-gov/application-for-assistance/jcr:content/guideContainer.af.internalsubmit.js HTTP/1.1] org.apache.sling.servlets.post.impl.operations.ModifyOperation Exception during response processing.
org.apache.sling.api.resource.PersistenceException: Resource at '/content/forms/af/geometrixx-gov/application-for-assistance/jcr:content/guideContainer.af.internalsubmit.js' is not modifiable.
at org.apache.sling.servlets.post.impl.helper.SlingPropertyValueHandler.setProperty(SlingPropertyValueHandler.java:114) [org.apache.sling.servlets.post:2.3.26]
at org.apache.sling.servlets.post.impl.operations.ModifyOperation.writeContent(ModifyOperation.java:372) [org.apache.sling.servlets.post:2.3.26]
at org.apache.sling.servlets.post.impl.operations.ModifyOperation.doRun(ModifyOperation.java:93) [org.apache.sling.servlets.post:2.3.26]
at org.apache.sling.servlets.post.impl.operations.AbstractPostOperation.run(AbstractPostOperation.java:99) [org.apache.sling.servlets.post:2.3.26]
at org.apache.sling.servlets.post.impl.SlingPostServlet.doPost(SlingPostServlet.java:228) [org.apache.sling.servlets.post:2.3.26]

Adaptive Forms Asset Management Experience Manager
1 Accepted Solution
P_V_Nair
Correct answer by
Level 2
Level 2

@asutosh_jena @Ritesh_M Just to update my analysis till now. Got to know that this servlet call was not happening from our application code.

The paths in the log were exactly matching the guideContainer paths in here https://github.com/0ang3el/aem-hacker/blob/master/aem_hacker.py 

Got some more information on this from here https://thedarksource.com/aem-testing-by-security-analysts-perspective-manual-and-automated-methods/ . Please check on section 'Main Vulnerabiltiy in AEM Component: GuideInternalSubmitServlet'

So I believe it should be part of some AEM hacker testing or someone was even trying to do this AEM hacker testing on our application. This is my finding. Please shout out if you sense anything else in this scenario.

View solution in original post

3 Replies
asutosh_jena
Community Advisor
Community Advisor

Hi @P_V_Nair 

 

Your code(Java or JavaScript) is trying to making POST request to the URL, and if the URL is not available then default sling servlet is called and with POST request it tries to create node/properties which is why you get this error.

 

See here:

https://www.albinsblog.com/2016/06/caused-by-orgapacheslingapiresourcepers-resource-is-not-modifiabl...

 

Thanks!

Ritesh_M
Community Advisor
Community Advisor

Hi @P_V_Nair ,

 

This happens when the URL is not accessible. Check 'Apache Sling Servlet/Script Resolver'. Also, check the permission on the JS, is it accessible for the user since it is a POST call.

P_V_Nair
Correct answer by
Level 2
Level 2

@asutosh_jena @Ritesh_M Just to update my analysis till now. Got to know that this servlet call was not happening from our application code.

The paths in the log were exactly matching the guideContainer paths in here https://github.com/0ang3el/aem-hacker/blob/master/aem_hacker.py 

Got some more information on this from here https://thedarksource.com/aem-testing-by-security-analysts-perspective-manual-and-automated-methods/ . Please check on section 'Main Vulnerabiltiy in AEM Component: GuideInternalSubmitServlet'

So I believe it should be part of some AEM hacker testing or someone was even trying to do this AEM hacker testing on our application. This is my finding. Please shout out if you sense anything else in this scenario.

View solution in original post