Closed kwin closed 1 year ago
kwin
commented
1 year ago In fact Adobe recommends to allow that path explicitly in https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/getting-started/security-checklist.html?lang=en#prevent-denial-of-service-dos-attacks
Then, configure filters to allow access to the following node paths: .... /libs/granite/security/currentuser.json (data must not be cached)
kwin
commented
1 year ago Seems this has been inspired by https://github.com/0ang3el/aem-hacker/blob/3ce91f217b259b0b4e6abd07f56d453b0c82b46b/aem_hacker.py#LL637C91-L637C91, but in fact basic auth credentials are usually stripped in dispatcher, so this cannot be used to bruteforce credentials.
thomashartm
commented
1 year ago Makes sense. I removed the check
Currently the servlet which exposes info about the currently logged in user is not blocked by default e.g. in https://github.com/adobe/aem-project-archetype/blob/183706c16758fc02a8becc16d2dc8a5b55e7ef46/src/main/archetype/dispatcher.cloud/src/conf.dispatcher.d/filters/default_filters.any#L45 but rather explicitly enabled. I fail to see the issue with that endpoint as that only returns information about the currently logged in user (in case someone is logged in). Still it is reported with severity high in https://github.com/Netcentric/pickaxe-security-scanner/blob/08a83e6534ecf175fead2bfec74fe06d300072e3/pickaxe-scans/src/main/resources/misconfiguration/currentuser-status-servlet-exposed.groovy.