Expand my Community achievements bar.

SOLVED

Stop POST request from external Server to AEM / Dispatcher

Avatar

Level 3

Hi Team,

We have seen a security related issue in our environment.

Issue :

A POST request , which is coming from external site is able to access AEM , getting response from AEM "Content Modified "(Attached screenshot Response.png )

Reproducible :

1. Keep test3.html in your Tomcat / other servers.
   a. test3.html contains a POST request to AEM page (test3.html)
2. Make sure to setup AEM Publish & Dispatcher.
3. Access test3.html

On Page load of test3.html , it will submit  POST request to AEM/Dispatcher

Screenshots / Pages / Servers URL Info :

http://localhost:8081 ---- Tomcat Server (test3.html deployed here)
http://localhost:9080 --- Apatche httpd Server (Configured dispatcher with Publish environment)
http://localhost:4505 --- Local AEM Publish instance

AEM 5.6 & Dispatcher (Apache 2.2)

Team, Please let me know how can i block external POST requests to stop access AEM .

Thanks in advance 

Ravindra Reddy

1 Accepted Solution

Avatar

Correct answer by
Level 10

Make sure to take care of [1] which is surely missing from your symptoms. Configure referrer filter.. and install the security related hotfix.   If need further help reach out for official request.

 

[1]  http://docs.adobe.com/docs/en/cq/5-6-1/deploying/security_checklist.html

View solution in original post

3 Replies

Avatar

Correct answer by
Level 10

Make sure to take care of [1] which is surely missing from your symptoms. Configure referrer filter.. and install the security related hotfix.   If need further help reach out for official request.

 

[1]  http://docs.adobe.com/docs/en/cq/5-6-1/deploying/security_checklist.html

Avatar

Level 10

"A POST request , which is coming from external site is able to access AEM , getting response from AEM "Content Modified "(Attached screenshot Response.png )"

Is your main concern here about an external server being able to send a POST request to AEM? 

Avatar

Level 3

HI smacdonald,

Thanks for reply , Yes main concern is stop POST request from external and allow AEM internal POST requests .

 

Thanks'

Ravindra Reddy