aheim0
commented
4 years ago Thanks for highlighting this, we will investigate.
Open jarrell-adobe opened 4 years ago
aheim0
commented
4 years ago Thanks for highlighting this, we will investigate.
jarrell-adobe
commented
4 years ago I just had a customer try to go live with the config listed here.
I ran my security scanner against the dispatcher and this was result for publish_filters.any:
################################################################### Below ERRORs are regarding synopsys_publish_filters.any:
ERROR: /bin/crxde/logs IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0022 allowed 'GET /bin/crxde/logs HTTP/1.1'
ERROR: /bin/querybuilder.feed.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0041 allowed 'GET /bin/querybuilder.feed.css HTTP/1.1'
ERROR: /bin/querybuilder.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0022 allowed 'GET /bin/querybuilder.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0041 allowed 'GET /bin/querybuilder.json.servlet;%0aa.css HTTP/1.1'
ERROR: /bin/querybuilder.json.servlet;%0aa.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0041 allowed 'GET /bin/querybuilder.json.servlet;%0aa.css HTTP/1.1'
ERROR: /bin/groovyconsole/audit.servlet IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0022 allowed 'GET /bin/groovyconsole/audit.servlet HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/audit.servlet.css HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/audit.servlet;%0aa.css HTTP/1.1'
ERROR: /bin/groovyconsole/audit.servlet.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/audit.servlet.css HTTP/1.1'
ERROR: /bin/groovyconsole/audit.servlet;%0aa.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/audit.servlet;%0aa.css HTTP/1.1'
ERROR: /bin/groovyconsole/post.servlet IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0022 allowed 'GET /bin/groovyconsole/post.servlet HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/post.servlet.css HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/post.servlet;%0aa.css HTTP/1.1'
ERROR: /bin/groovyconsole/post.servlet.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/post.servlet.css HTTP/1.1'
ERROR: /bin/groovyconsole/post.servlet;%0aa.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0041 allowed 'GET /bin/groovyconsole/post.servlet;%0aa.css HTTP/1.1'
ERROR: /content.s7publish.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content.s7publish.json HTTP/1.1'
ERROR: /content/ IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/ HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/.blueprint.conf HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/.blueprint.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/.childrenlist.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/.infinity..json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/.infinity.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/.languages.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/.media.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/.offline.doc HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/.offline.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/.search.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/.tidy.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/.version.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/add_valid_page.html?debug=layout HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/content/geometrixx.sitemap.txt HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/mypage/en._jcr_content.feed HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en.activity.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/mypage/en.feed.html HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/mypage/en.feed.xml HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/mypage/en.html?debug=layout HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en.mcmtree.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/mypage/en.pages.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/mypage/en.paragraphs.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en.rss.xml HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/mypage/en.views.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/mypage/en/_jcr_content.feed HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/mypage/en/_jcr_content.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en/geometrixx.sitemap.txt HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/mypage/en/jcr:content.feed HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/mypage/en/jcr:content.json HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/mypage/en/pagename._jcr_content.feed HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en/pagename.jcr:content.feed HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/screens.exportsearch.csv HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/usergenerated/mytestnode/ HTTP/1.1'
ERROR: /content/.blueprint.conf IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/.blueprint.conf HTTP/1.1'
ERROR: /content/.blueprint.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/.blueprint.json HTTP/1.1'
ERROR: /content/.childrenlist.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/.childrenlist.json HTTP/1.1'
ERROR: /content/.infinity..json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/.infinity..json HTTP/1.1'
ERROR: /content/.infinity.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/.infinity.json HTTP/1.1'
ERROR: /content/.languages.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/.languages.json HTTP/1.1'
ERROR: /content/.media.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/.media.json HTTP/1.1'
ERROR: /content/.offline.doc IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/.offline.doc HTTP/1.1'
ERROR: /content/.offline.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/.offline.json HTTP/1.1'
ERROR: /content/.search.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/.search.json HTTP/1.1'
ERROR: /content/.tidy.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/.tidy.json HTTP/1.1'
ERROR: /content/.version.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/.version.json HTTP/1.1'
ERROR: /content/add_valid_page.html?debug=layout IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/add_valid_page.html?debug=layout HTTP/1.1'
ERROR: /content/content/geometrixx.sitemap.txt IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/content/geometrixx.sitemap.txt HTTP/1.1'
ERROR: /content/mypage/en._jcr_content.feed IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/mypage/en._jcr_content.feed HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/mypage/en/_jcr_content.feed HTTP/1.1'
ERROR: /content/mypage/en.activity.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en.activity.json HTTP/1.1'
ERROR: /content/mypage/en.feed.html IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/mypage/en.feed.html HTTP/1.1'
ERROR: /content/mypage/en.feed.xml IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/mypage/en.feed.xml HTTP/1.1'
ERROR: /content/mypage/en.html?debug=layout IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/mypage/en.html?debug=layout HTTP/1.1'
ERROR: /content/mypage/en.mcmtree.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en.mcmtree.json HTTP/1.1'
ERROR: /content/mypage/en.pages.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/mypage/en.pages.json HTTP/1.1'
ERROR: /content/mypage/en.paragraphs.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/mypage/en.paragraphs.json HTTP/1.1'
ERROR: /content/mypage/en.rss.xml IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en.rss.xml HTTP/1.1'
ERROR: /content/mypage/en.views.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/mypage/en.views.json HTTP/1.1'
ERROR: /content/mypage/en/_jcr_content.feed IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0023 allowed 'GET /content/mypage/en/_jcr_content.feed HTTP/1.1'
ERROR: /content/mypage/en/_jcr_content.json IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 936] Filter rule entry /0023 allowed 'GET /content/mypage/en/_jcr_content.json HTTP/1.1'
ERROR: /content/mypage/en/geometrixx.sitemap.txt IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en/geometrixx.sitemap.txt HTTP/1.1'
ERROR: /content/mypage/en/jcr IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/mypage/en/jcr:content.feed HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/mypage/en/jcr:content.json HTTP/1.1'
ERROR: /content/mypage/en/jcr IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0023 allowed 'GET /content/mypage/en/jcr:content.feed HTTP/1.1' [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/mypage/en/jcr:content.json HTTP/1.1'
ERROR: /content/mypage/en/pagename._jcr_content.feed IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/mypage/en/pagename._jcr_content.feed HTTP/1.1'
ERROR: /content/mypage/en/pagename.jcr IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 937] Filter rule entry /0023 allowed 'GET /content/mypage/en/pagename.jcr:content.feed HTTP/1.1'
ERROR: /content/screens.exportsearch.csv IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 938] Filter rule entry /0023 allowed 'GET /content/screens.exportsearch.csv HTTP/1.1'
ERROR: /content/usergenerated/mytestnode/ IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 1147] Filter rule entry /0023 allowed 'GET /content/usergenerated/mytestnode/ HTTP/1.1'
ERROR: /crx/de/index.jsp;%0aa.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 935] Filter rule entry /0041 allowed 'GET /crx/de/index.jsp;%0aa.css HTTP/1.1'
ERROR: /crx/explorer/index.jsp;%0aa.css IS RETURNING 200 ON PUBLISHER. Relevant log entries: [Wed Aug 05 03:26:31 2020] [T] [pid 939] Filter rule entry /0041 allowed 'GET /crx/explorer/index.jsp;%0aa.css HTTP/1.1'
jarrell-adobe
commented
4 years ago AMS OOTB replaces 42 and 23 with following rule:
/0010 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/*" } ## disable this rule to allow mapped content only
aheim0
commented
4 years ago Tracking with CQDOC-16591.
Hey there, Zach Jarrell from Adobe Managed Services. The filter rules on this page are known insecure and if AEM users were to put them in production risk serious exposure to crafted URLs and pivoting. Rule 22, 23, and 41, specifically. Allow crx access with a pivot, and 23 allows .tidy.json to load.