-
Notifications
You must be signed in to change notification settings - Fork 419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable passing on authorization header by default #1081
Comments
Also compare with the check in https://github.com/0ang3el/aem-hacker/blob/3ce91f217b259b0b4e6abd07f56d453b0c82b46b/aem_hacker.py#L619. |
@kwin default_clientheaders.any does NOT need to be included from clientheaders.any:
AFAIK Authorization header has been added 2 years back to support authentication for Sync Doc APIs - see https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/implementing/developing/generating-access-tokens-for-server-side-apis.html?lang=en#the-server-to-server-flow /cc: @jalagari |
@krystiannowak Thanks for the pointers. Still I would consider that an insecure default. Maybe you can somehow tweak the dispatcher to only allow |
@kwin /clientheaders is a simple list of strings (representing header names) as per https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/dispatcher-configuration.html?lang=en#specifying-the-http-headers-to-pass-through-clientheaders - so there is no filtering by value or matching any kind of regular expression in it |
In
aem-project-archetype/src/main/archetype/dispatcher.cloud/src/conf.dispatcher.d/clientheaders/default_clientheaders.any
Line 43 in 183706c
Authorization
header is forwarded to AEM. That can be abused with certain endpoints to do brute-force credential attacks on the Basic Auth Handler (compare with https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/disable-basic-authentication/m-p/359084/highlight/true#M48638). Therefore I would argue that by default those headers should not be forwarded to the backend. The default AEM authorization relies on cookies only (and not the authorization header which is only used for OAuth and Basic Auth). As that is an immutable file and customers can only add additional headers on top, this base configuration makes it impossible to strip Authorization headers (except with workarounds like usingmod_headers
)The text was updated successfully, but these errors were encountered: