The AEM Groovy Console provides an interface for running Groovy scripts in the AEM container. Scripts can be created to manipulate content in the JCR, call OSGi services, or execute arbitrary code using the CQ, Sling, or JCR APIs.
Other
159
stars
94
forks
source link
By default anonymous attacker can execute arbitrary code via ScriptPostServlet #85
currently anonymous attacker can execute arbitrary shell commands through ScriptPostServlet if Groovy Console is installed and not configured. Zero configuration is great for usability but catastrophic for security. It's explicitly written in documentation Allowed Groups - List of group names that are authorized to use the console. If empty, no authorization check is performed. Nevertheless, I guess a lot of AEM installations are vulnerable where teams install Groovy Console, keep default coniguration, forget to block /bin/groovyconsole/post on Dispatcher and leave it exposed to the Internet.
It would be great to make Groovy Console secure by default.
Hello,
currently anonymous attacker can execute arbitrary shell commands through
ScriptPostServlet
if Groovy Console is installed and not configured. Zero configuration is great for usability but catastrophic for security. It's explicitly written in documentationAllowed Groups - List of group names that are authorized to use the console. If empty, no authorization check is performed
. Nevertheless, I guess a lot of AEM installations are vulnerable where teams install Groovy Console, keep default coniguration, forget to block/bin/groovyconsole/post
on Dispatcher and leave it exposed to the Internet.It would be great to make Groovy Console secure by default.
Thanks!