New Adobe CF servlet that we should probably block

[bdw429s]

Adobe CF 2018 has added a new servlet mapping for use with the new Performance Monitor Toolkit.

• /pms

The Adobe engineers told me this mapping has special treatment in their proprietary connectors and is blocked for security purposes. To allow for the same level of security, BonCode should probably block it as well. I think the only question is:

1. Does Boncode block it 100% of the time?
2. Do we tie this to the enableRemote flag so it gets blocked along with the remote administrators

Please note, the engineers also told me they created a special mapping called /connector that allows the IIS connector to send information to the new performance monitor but I'm unclear on whether it's a Java servlet mapping or just a special route in their IIS connector. Either way, I'm not sure if BonCode needs to do anything with it, but I suppose you should be aware of it.

[Bilal-S]

OK. Thanks brad. I will include notes in docs.

[Bilal-S]

updated docs. closing.

[bdw429s]

@Bilal-S Thx and to be clear, did you modify Boncode to block this path along with the admin URL, or did you just add a note to the docs for the user to manually block the path? If you just updated the docs, should I add a second ticket to actually block the path like the Adobe connector does?

[Bilal-S]

/pms has been blocked. No code change for /connector except for docs updated.

[bdw429s]

Excellent. And to confirm, /pms is blocked in all cases, or only when the enableRemote flag is enabled? From what the Adobe engineers told me, the /connector servlet never exists on J2E installs so there should, in theory, not be a need to block it.

[Bilal-S]

Yes with 1.0.38 onward that will be the case. You can of course, block any path via IIS tools already.