Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

unable to block http options with AEM felix configuration

ramgopalm545617
Level 4
Level 4
‎22-10-2020 10:48 PDT

Even after adding OPTIONS method to filter methods in both Adobe Granite CSRF filter and Apache sling referrer filter, the CURL requests are still responding with 200 response.

 

curl -i -X OPTIONS http://<host>:<port>/content/*****/en/****/home.html
HTTP/1.1 200 OK
Date: Thu, 22 Oct 2020 17:42:30 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Allow: OPTIONS, TRACE, GET, HEAD
Content-Length: 0

 

is there is any other config which needs to be done to to stop HTTP OPTIONS on the direct server host:port URL, this has been raised a security vulnerability, please help us here

@Vijayalakshmi_S @Jörg_Hoh @vanegi @Arun_Patidar 

Views

324

Replies

5

Total Likes

Translate
5 Replies
Jörg_Hoh
Employee
Employee
‎22-10-2020 12:20 PDT

Hi,

 

AFAIK the security checklist advises you to always have a dispatcher in front an AEM instance. And then configure this on the dispatcher/webserver. And in that case no one will have direct access to the AEM instance (except maybe admins).

Views

248

Replies

1

Total Likes

Translate
ramgopalm545617
Level 4
Level 4
‎23-10-2020 07:57 PDT
In response to Jörg_Hoh
Hi @Jörg_Hoh, we also know that this has to be blocked at apache level, but there is a security vulnerability that AEM HTTP OPTIONS opened, so we have to fix the issue

Views

231

Replies

0

Total Likes

Translate
ramgopalm545617
Level 4
Level 4
‎27-10-2020 04:37 PDT
In response to Arun_Patidar
thanks for the reply, even after adding the method to apache sling referrer filter, we are still facing the issue. it's strange that the local host is giving 401 for me as well in publish even without adding any configurations, really confused what should be next steps here. @Arun_Patidar

Views

233

Replies

0

Total Likes

Translate
Arun_Patidar
Community Advisor
Community Advisor
‎29-10-2020 13:25 PDT
In response to Arun_Patidar
Not sure, what could be the issueIf, if you want to block the request, create your own filter and block the request based on this 2 urls.

Views

211

Replies

0

Total Likes

Translate