Querybuilder API bypasses dispatcher filters and exposes sensitive information

This article addresses an access control issue in Adobe Experience Manager as a Cloud Service (AEMaaCS) where the Querybuilder API can bypass dispatcher filters, potentially exposing sensitive information. The resolution involves updating the configuration to block unauthorized access to specific endpoints.

Description description

Environment
Product: Adobe Experience Manager (AEM) as Cloud Service - Sites

Issue/Symptoms
Requests to specific endpoints, such as /bin/querybuilder.json or /etc/truststore.json, bypass dispatcher filters when encoded slashes (%2F) are used in the URL. This allows unauthorized access to internal nodes and sensitive files.

Resolution resolution

To resolve this issue, follow these steps:

Open each affected virtual host configuration file.

Locate the < VirtualHost> tag within the configuration file.

Add the following LocationMatch block inside the < VirtualHost> tag:

< LocationMatch “(?i)/(etc/truststore.json|bin/querybuilder.json)(;|%3B)”>
    ProxyPass “!”
< /LocationMatch>

Save the changes to the virtual host configuration file.

Test by sending a request similar to http://localhost:8082/%2fbin%2fquerybuilder.json?path=/etc. Ensure that it returns a 404 Not Found error, indicating that encoded slashes are blocked at the Apache level before reaching Dispatcher.