1.
I am managing a website which uses Adobe CQ5 as their management system. I am aware that there is a tool querybuilder.json in the /bin folder -- My question is, if an outside user would use this tool which API-syntax would they use to query "important" or "sensitive information". I need to know this so that I can block access to those syntax strings during GET or POST. Any help is appreciated, thanks!
So, what I'm asking is, if an attacker got access to the query builder link, would he be able to query passwords or internal login's, if so how? And if that, which syntax for the query builder can i remove to provoke this?
2.
Also, would anyone be able to tell me the proper syntax for the adobe querybuilder that can give you the hostname or web location where the directory that it lists is located?
So for example, if I got back /apps/geometrixx/user/login as output, I would also want to get the url that this file path is at on my server. Is there a syntax available for this action?
Please consider disabling all requests to paths starting with /bin prefix for your publish instance.
This is a common storage for all servlets that are very useful for authoring but not as much for the other instance.
If you have any custom servlets in the application please take a look at Apache Sling documentation and consider using resource based servlets.
#SlingServlet(
resourceTypes = "sling/servlet/default",
selectors = "hello",
extensions = "html",
methods = "GET")
public class MyServlet extends SlingSafeMethodsServlet {
This way you can control the access to the servlet using ACLs - if you have an access to the node (i.e. you can see it/render a component based on this resource) you will have an access to the servlet.
The best way to prevent unauthorized access to tools like this, is to deny *.json on your dispatcher and only allow calls to your application specific json. A good start what you should do can be found in the Security Checklist.
A documentation regarding the Query Builder can be found here: http://docs.adobe.com/docs/en/aem/6-0/develop/search/querybuilder-api.html
Related
How can Symfony deliver static files without bootstrapping/executing the framework?
For example: if some requests are failing by the webserver(images, js files are not found or something like this) then the framework tries to solve the route. Of course this does not exists.
Is there a way to avoid this or blacklist these extensions?
It could be a cache problem.
If it is :
If it is a cache problem, you could try to clear the cache on the symfony console with cache:clear. If it doesn't work you could try to remove the ressources in the general folder, leaving the original ones in your bundle, and running assetic:dump and assets:install.
If it isn't
Regarding the "remove-symfony-routing" thing, I don't know if it's possible, but it should not done anyways.
What you're asking is to be able to access, from the client side, any file on the server, which constitutes a major security breach.
This could allow the client to get any file on the server, meaning he could get his hands on your javascript or php files which most of the time contain valuable information (such as how your app works or even deadlier : global passwords and config values)
What you could do to access resources from the client would be a route that points to a controller function that could output to browser the file you're looking for, provided that it has an extension you'd be ok to share. For example you could allow any image file but forbid code files such as php or javascript.
EDIT: Or yeah, configure your webserver correctly. 2 simple answers while I was typing :D
Using Alfresco web scripts I can login and get ticket but I can't find any script to get user home folder. I can get folders inside another folder using below script: GET /alfresco/service/slingshot/doclib/doclist/{type}/node/{store_type}/{store_id}/{id} But after login I don't know the user home id. Does anybody know how to do it?
The userhome onces authenticated is considered to be a root object if you are dealing with classic webscripts.
https://wiki.alfresco.com/wiki/5.0_JavaScript_API#Root_Scope_Objects
You can access it via
var name = userhome.properties.name
Or you can use any of the other properties you may need via the Scripting Node API.
If you are looking for a webscript itself that just returns back the userhome you may need to create your own webscript to access just their User Home information. This can be done quickly and I recommend following this tutorial to learn how to quickly create one that fits what you are looking to do
http://ecmarchitect.com/alfresco-developer-series-tutorials/webscripts/tutorial/tutorial.html
I have an application which creates page routes from a database. My whole site is secured with forms authentication but I need to allow unauthenticated uses to access these routes. I don't want to hard-code <location> tags for the routes in the web.config as this will negate me using a database to generate the routes.
Can anyone help?
Thanks everyone. I've found an answer here
Basically it involves creating a folder for each route and putting a web.config file in it allowing access. This approach needs to be coupled with setting RouteExistingFiles to false so that the routes don't get confused with the folders.
Rather than using strongly typed configuration classes, why not make the modifications directly in XML?
Here's an abbreviated snippet to demonstrate the concept from some code of mine that performance IIS tuning in the machine.config. The principal is the same for other XML config files though. You just need to create the appropriate XPath statements to do what you need.
XmlDocument machineConfigFile = new XmlDocument();
machineConfigFile.Load(MachineConfigPathString);
XmlNode autoConfig = machineConfigFile.SelectSingleNode(#"/configuration/system.web/processModel/#autoConfig");
autoConfig.Value = "false";
machineConfigFile.Save(MachineConfigPathString);
When saved, the XmlDocument object will preserve all other untouched document nodes. Very handy. It works great for modifying the machine.config. The only possible issue I can see is that your application will probably reset when you save your changes to the web.config. So test it out in a safe environment with a backup of your web.config just in case the reset causes any undesired outcomes!
I found this MSDN link for you. I didn't find whether you can modify the config of running server instance this way though.
Have you considered implimenting your site security in a different way? Having a portion of the site that allows unauthenticated access and a portion that does not. I am "assuming" (bad) that you are using MVC since you are describing routes - this is very easy to do with both MVC and traditional web form applications.
I am working on a project that is primarily ASP.NET based. The main project is meant to be deployed to multiple locations for different clients, so one client might be located at website.com/client1 and another at website.com/client2. Within the application, we regularly use the application root operator ~ to get the path to a resource.
We also have a bunch of Flex applications that get deployed in there, and many rely on web services within the ASP.NET application. What I'm after is a way to reference the services relative to the application root. Here's an example of the location of some files for two client deployments:
Client A
website.com/clientA/swf/FlexApplication.swf
website.com/clientA/services/webService.asmx
Client B
website.com/clientB/swf/FlexApplication.swf
website.com/clientB/services/webService.asmx
FlexApplication and webService are both exactly the same, so what I want to do is something like this in the Flex code:
var myService:CustomService = new CustomService(~/services/webService.asmx);
myService.callMethod("Test");
I would like to avoid using relative paths for the usual reasons. Is there a good way to do this or a good way to pass the root url to the flex application from ASP.NET? Thanks in advance.
Its definitely a good idea to avoid relative URL's. The easiest way is to pass the information in via Flash Vars in the HTML embed statement.
Check out Adobe's documentation on using FlashVars with Flex: http://livedocs.adobe.com/flex/3/html/help.html?content=passingarguments_3.html
Summary:
Add a line to the HTML embed statement like this:
<param name='flashVars' value='serviceRoot=/myserviceRoot'/>
Then access it in Flex via the mx.core.Application.application.parameters accessor
import mx.core.Application;
var parameters:Object = Application.application.parameters;
var serviceRoot:String = parameters['serviceRoot'];
relative to the application root
Flex knows nothing about the application root of a ASP.NET application. The only thing that the Flex app knows is the URL that it is served from. It does not know the URL of the page. Keep in mind that the URL of the page and the URL of the SWF are not the same.
It appears, given your directory structure, that you can use the SWF's URL to get the information you're after.
In a Flex 3 Application, you can get use the url property of the Application tag:
(Application.application as Application).url
In a Flex 4 Spark application, you can also use the url property of the Application Tag, but you have to get it differently:
(FlexGlobals.topLevelApplication as Application).url
Then you can parse it with URLUtils to get your directory structure. Probably store that as a global variable in your Flex application somehow and use it to construct the URL for the service calls you are making to the remote server.
I use this handy little utility to get URL information via javascript inside the .swf.
http://www.flexpasta.com/index.php/category/utility-classes-that-help-you-deal-with-string-numbers-arrays-and-objects-in-actionscript/
I am using the rather excellent IIS7 Rewrite module (V2), and want to create a custom RewriteProvider that rewrites differently depeneding on whether the physical file exists.
I have successfully created a provider, as in this tutorial:
http://learn.iis.net/page.aspx/804/developing-a-custom-rewrite-provider-for-url-rewrite-module/
However, really need to be able to map the url to a physical path - I would normally do this via HttpContext.Current.Server.MapPath() or HostingEnvironment.MapPath(), but it looks like the HttpContext has not been initialised (at least within the current App Domain - since the ReWrite module is native code, I'm having difficulty working out where I can get this information).
I don't really want to have to resort to creating my own rewrite module to get around this problem - anyone have any clues for me?
Thanks!
Mark.
You will not be able to get to it using those APIs since the code runs in a different AppDomain than the one ASP.NET is using.
The only way I can think to make this work is to pass the right Server Variable that includes the physical path to your extension and do a Path.Combine() yourself.
So assuming you have an extension called YourProvider that you are calling somehow like this:
{YourProvder:{URL}}
You can do:
{YourProvder:{APPL_PHYSICAL_PATH}|{URL}}
You can now get the physical path and the URL separated by a pipe | , make sure to pass the Physical Path first since the URL is in the control of external users you do not want them to trick you into getting a different physical path.