Add check to inspec run, if `/content/..;/crx/*` path is blocked in dispatcher

[veldotshine]

Describe the bug

It has been identified that there is a bug in Adobe AEM which allows attackers to bypass authentication and gain access to CRX Package Manager through dispatcher. Packages enable the importing and exporting of repository content, and the Package Manager can be used for configuring, building, downloading, installing and deleting packages on local AEM installations. With access to the CRX Package Manager, an attacker could upload a malicious package in Adobe Experience Manager to leverage it to a Remote Control Execution (RCE) and gain full control of the application. AEM Opencloud has already blocked such endpoints previously.

To Reproduce Steps to reproduce the behavior:

1. Create a fullset environment using aem-opencloud v5.2.0
2. After switch dns, access the below endpoint
3. http:///content/..;/crx/packmgr/service.jsp

Expected behavior This endpoint should be blocked through publish dispatcher endpoint and redirect/take them to default site error page. If the endpoint is accessible inspec run should pick it up in test run.

Screenshots

Environment (please complete the following information if relevant):

• Full Set using aem-opencloud v5.2.0

Additional context Also ensure this path is included in inspec-aem-security, so that it verifies the path is added to blocked list. /content/..;/crx/*

[cliffano]

The deny rule for this report has been added as part of https://github.com/shinesolutions/aem-helloworld-publish-dispatcher/pull/18 and released in aem-helloworld-publish-dispatcher 0.13.0