[+] #BugbountyTip:
Invalidate / Flush Cached Pages From AEM - This is one of the most under rated vulnerability that hardly anyone knows about! I will share all details in this thread.
I will share all details in this Thread!
#Bugbounty #TogetherWeHitHarder #BugbountyTip
Invalidate / Flush Cached Pages From AEM - This is one of the most under rated vulnerability that hardly anyone knows about! I will share all details in this thread.
I will share all details in this Thread!
#Bugbounty #TogetherWeHitHarder #BugbountyTip
I discovered this in 2015 simply by going through the official Adobe AEM dispatcher security checklist again and again!
https://docs.adobe.com/content/help/en/experience-manager-dispatcher/using/configuring/dispatcher-configuration.html#limiting-the-clients-that-can-flush-the-cache
#AdobeAEM #Dispatcher #Security #Checklist
https://docs.adobe.com/content/help/en/experience-manager-dispatcher/using/configuring/dispatcher-configuration.html#limiting-the-clients-that-can-flush-the-cache
#AdobeAEM #Dispatcher #Security #Checklist
[+] Vulnerability Type: Improper Access Control
Some programs accept this as Low severity, Most programs accept this as Medium security and a very few will actually accept the Risk.
Max Reward I earned from a single submission $500 (Multiple times)
Lowest bounty rewarded: $50
Some programs accept this as Low severity, Most programs accept this as Medium security and a very few will actually accept the Risk.
Max Reward I earned from a single submission $500 (Multiple times)
Lowest bounty rewarded: $50
[+] Impact:
Unauthorized attackers can invalidate/flush dispatcher cache remotely without any rate limiting. If this is done repeatedly it can severely impact the site performance.
Unauthorized attackers can invalidate/flush dispatcher cache remotely without any rate limiting. If this is done repeatedly it can severely impact the site performance.
[+] Solution:
This happens because "/allowedClients" property is not defined in the dispatcher configuration of target AEM
The /allowedClients property should define specific clients that are allowed to flush the cache (delete and or modify/update files) on the server.
This happens because "/allowedClients" property is not defined in the dispatcher configuration of target AEM
The /allowedClients property should define specific clients that are allowed to flush the cache (delete and or modify/update files) on the server.
Oh and you will probably find hundreds of vulnerable AEM instances out there right now :)