should NOT respond to GET /bin/querybuilder.feed.css with 200

teamu33465496

14-03-2019

As part of our environment Scan from AMSSEC suggested this to be fixed. "should NOT respond to GET /bin/querybuilder.feed.css with 200" In the scan it turned out to be Green, which AMS prefers it to be Red. How do I get this fixed?

Accepted Solutions (1)

Accepted Solutions (1)

Gaurav-Behl

MVP

14-03-2019

Block this specific url or  "feed*" in dispatcher.any ​based on your requirements

/0090 { /type "deny"  /url"/bin/querybuilder.feed.css" }  or

/0090 { /type "deny"  /glob "* *.feed.css*" }  or

/0090 { /type "deny"  /glob "* *.feed.*" } or

/006 {

  /type "deny"

  /path "/bin/*"

  /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)'

  /extension '(css)'

  }

Answers (6)

Answers (6)

Gaurav-Behl

MVP

09-09-2019

check Security Checklist

Check if the CRX development bundles are present

These development OSGi bundles should be uninstalled on both author and publish productive systems before making them accessible.

  • Adobe CRXDE Support (com.adobe.granite.crxde-support)
  • Adobe Granite CRX Explorer (com.adobe.granite.crx-explorer)
  • Adobe Granite CRXDE Lite (com.adobe.granite.crxde-lite)

Gaurav-Behl

MVP

14-03-2019

It would work fine but in ideal scenario (per best practices), you are supposed to deny all paths and allow only specific paths. When you deny all paths, /crx is covered under that.

HTH

teamu33465496

14-03-2019

Do you mean that this doesn't work for CRX?

  1. { /type "deny"  /url"/crx/de/index.jsp;%0aa.css" }
  2. { /type "deny"  /url"/crx/explorer/index.jsp;%0aa.css" }

Gaurav-Behl

MVP

14-03-2019

for #3 and #4,   /crx/de and   /crx/explorer can be blocked at AEM itself otherwise for dispatcher you should deny all and allow only relevant paths. 

You should have /0001 { /type "deny" /glob "*" }  to take care of "/crx" and other paths

for #1 and #2, use "selectors" and "extension"

/006 {

  /type "deny"

  /path "/bin/*"  or /path "/bin/querybuilder*"

  /selectors '(feed|servlet|json)'

  /extension '(css)'

  }

refer -  Dispatcher- publisher System/console is giving 500 error.

teamu33465496

14-03-2019

I am trying to block these:

should NOT respond to GET /bin/querybuilder.feed.css with 200

should NOT respond to GET /bin/querybuilder.json.servlet;%0aa.css with 200

should NOT respond to GET /crx/de/index.jsp;%0aa.css with 200

should NOT respond to GET /crx/explorer/index.jsp;%0aa.css with 200

so  does this work?

  1. { /type "deny"  /url"/bin/querybuilder.feed.css" }
  2. { /type "deny"  /url"/bin/querybuilder.json.servlet;%0aa.css" }
  3. { /type "deny"  /url"/crx/de/index.jsp;%0aa.css" }
  4. { /type "deny"  /url"/crx/explorer/index.jsp;%0aa.css" }