Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

alexandreg50738
Community profile alexandreg50738 Level 1
Job title here
Location here
0 BADGES
Level 1

Level 1

Learn more
Joined the community 28-06-2019 3:43:17 AM
Offline
Top badges earned by alexandreg50738
Customize the badges you want to showcase on your profile
Re: Is AEM author vulnerable to OWASP Unrestricted File Upload
Avatar
Level 1
alexandreg50738
Level 1

Likes

0 likes

Total Posts

4 posts

Correct reply

0 solutions
View profile
alexandreg50738
- Adobe Experience Manager
A user can always upload binary data to DAM. The thing here is that it would be needed to have a way to check the file magic number to guarantee that it is according to a specific file types whitelist. Another thing that could be prevented is having a denial of service because of having a user uploading many big files in a time window

Views

1.8K

Likes

0

Replies

1
Re: Is AEM author vulnerable to OWASP Unrestricted File Upload
Avatar
Level 1
alexandreg50738
Level 1

Likes

0 likes

Total Posts

4 posts

Correct reply

0 solutions
View profile
alexandreg50738
- Adobe Experience Manager
Yes, the case in which an authenticated user can write anything to /content/dam. According to the OWASP https://www.owasp.org/index.php/Unrestricted_File_Upload this is considered a vulnerability. But since just authenticated users can upload files I was wondering if it it still considered a vulnerability.Regarding the countermeasure for that issue would be to have a processor in the sling request filter chain to handle the file upload checking, having then a way to check the mimetype if its all...

Views

1.8K

Likes

0

Replies

3
Re: Is AEM author vulnerable to OWASP Unrestricted File Upload
Avatar
Level 1
alexandreg50738
Level 1

Likes

0 likes

Total Posts

4 posts

Correct reply

0 solutions
View profile
alexandreg50738
- Adobe Experience Manager
You are right regarding the unrestricted file upload not being listed in the OWASP Top Ten but I would like to know if AEM mitigates this vulnerability

Views

1.8K

Likes

0

Replies

1
Is AEM author vulnerable to OWASP Unrestricted File Upload
Avatar
Level 1
alexandreg50738
Level 1

Likes

0 likes

Total Posts

4 posts

Correct reply

0 solutions
View profile
alexandreg50738
- Adobe Experience Manager
Hello,I was reading about the OWASP Top Ten and was wondering if the AEM Author is vulnerable to the Unrestricted File Upload vulnerability.Here is my understanding: Taking into account that in AEM Author we have the DAM file upload, we have here a possible candidate for an OWASP Unrestricted File Upload. But since the access to the DAM file upload is restricted to trusted users, although the only possible prevention to this is the mime types whitelisting in OSGi Web Console, should this still b...

Views

2.0K

Likes

0

Replies

8