Security Issues In AEM Dispatcher Rules

Nov. 5, 2019, 7:19 a.m.   bryce   AEM Security AEM Dispatcher  


The default rules that ship with the Adobe Experience Manager (AEM) Dispatcher should always be modified before moving the configurations to production. Out of the box there are several holes that can cause security concerns. Most AEM Architects are aware that the first rule of any good Dispatcher configuration is the "deny all" rule. This is the case for any production system, always block everything and then only allow needed paths to be opened.

However, even with a "deny all" rule, there are many rules that can cause issues and allow unexpected access to sensitive areas of AEM. For instance, several of the Adobe Dispatcher examples contain issues which allow access with cleverly crafted URLs. Adding ;.css to a request, for example, bypasses most of the rules and allows users to reach sensitive areas thought to be secured (such as the CRX admin!).

Check this URL out on your site to see if you can see the CRX admin screen: http://<WEBSITE>/crx/explorer/index.jsp;.css. If you can see this page, yikes! You have a security vulnerability!

CRX Security Screen

How to fix this!

So how do we fix this issue where adding ;.css grants you access to sensitive locations? Check out your dispatcher.any filter rules. Are there any rules such as these?

      # Enable specific mime types in non-public content directories
      /0041 { /type "allow" /url "*.css"   }  # enable css
      /0042 { /type "allow" /url "*.gif"   }  # enable gifs
      /0043 { /type "allow" /url "*.ico"   }  # enable icos
      /0044 { /type "allow" /url "*.js"    }  # enable javascript
      /0045 { /type "allow" /url "*.png"   }  # enable png
      /0046 { /type "allow" /url "*.swf"   }  # enable flash
      /0047 { /type "allow" /url "*.jpg"   }  # enable jpg
      /0048 { /type "allow" /url "*.jpeg"  }  # enable jpeg
      /0049 { /type "allow" /url "*.svg"  }  # enable svg

These were provided in many dispatcher.any examples as a means to enable your images and includes. However, these rules also are what provide one of these security loopholes!

In the latest dispatcher.any that ships with version 4.3.3 Adobe has changed these rules to look like this:

      # Enable extensions in non-public content directories, using a regular expression
      /0041
        {
        /type "allow"
        /extension '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?)'
        }

We are still testing whether this update fixes the known issues and we will update this blog with our results. In the meantime, these rules have been crafted to block some of the most egregious issues (hat tip: Dwayne Hale from Rackspace!):

  #vuln 1
  /9990 { /type "deny" /url "*.infinity.*" }
  #vuln2
  /9991 { /type "deny" /url "/crx*" }
  /9992 { /type "deny" /url "/system*" }
  #vuln3 block querybuilder
  /9993 { /type "deny" /url "/bin/querybuilder*" }
  #vuln4 
  /9994 { /type "deny" /url "*/.*"}

Hopefully these rules help you secure your enterprise sites when using AEM Dispatcher.

For help fixing any AEM Dispatcher vulnerabilities please reach out to the AEM Experts at Arbory Digital via 1-877-AEM-4502 today!


aem security dispatcher