5 Replies Latest reply: Jul 24, 2013 5:12 AM by Tim Goodman

Is this a security issue on dev.day.com?

Tim Goodman Jul 17, 2013 11:32 PM

Here's a question about dev.day.com, from the security checklist:

http://dev.day.com/docs/en/cq/current/deploying/security_checklist.html

I noticed if you add a selector to the URL, e.g.

http://dev.day.com/docs/en/cq/current/deploying/security_checklist.123.html

It appears to hit the publish server (assuming it hasn't been hit before). Has the DoS attack prevent script been implemented on this site?

Also, you can just add a URL parameter to hit the publisher:

http://dev.day.com/docs/en/cq/current/deploying/security_checklist.html?a=b

Shouldn't it be possible to block unknown query params or uncacheable requests via the dispatcher or webserver?

Thanks!

1. Re: Is this a security issue on dev.day.com?

Jörg Hoh Jul 20, 2013 1:21 PM (in response to Tim Goodman)

How do you detect, that your request has hit the publish?

Jörg
Like Show 0 Likes (0)

Actions
2. Re: Is this a security issue on dev.day.com?

Tim Goodman Jul 21, 2013 5:14 AM (in response to Jörg Hoh)

It definitely appears to load much slower.

Correct me if I am wrong!
Like Show 0 Likes (0)

Actions
3. Re: Is this a security issue on dev.day.com?

Jörg Hoh Jul 21, 2013 10:59 AM (in response to Tim Goodman)

Hi Tim

I forwarded your post internally. Thanks for reporting.

Jörg
Like Show 0 Likes (0)

Actions
4. Re: Is this a security issue on dev.day.com?

mildred_ignacio Jul 22, 2013 4:46 AM (in response to Jörg Hoh)

you can configure ignoreURLParams:
specified

the following will cause dispatcher to ignore all query string except a parameter

/ignoreUrlParams
        {
        /0001
          {
          /glob "*"
          /type "deny"
          }
        /0002
          {
          /glob "a"
          /type "allow"
          }

reference: http://dev.day.com/docs/en/cq/current/deploying/dispatcher/disp_config.html
Like Show 0 Likes (0)

Actions
5. Re: Is this a security issue on dev.day.com?

Tim Goodman Jul 24, 2013 5:12 AM (in response to mildred_ignacio)

Thanks Jorg and Mildred.

If the page can be updated that would be great - the security page is the main page that we show during training, so it needs to not only be accurate, but also reflect a best practice implementation.

Cheers!
Like Show 0 Likes (0)

Actions

Go to original post

Is this a security issue on dev.day.com?

1. Re: Is this a security issue on dev.day.com?

2. Re: Is this a security issue on dev.day.com?

3. Re: Is this a security issue on dev.day.com?

4. Re: Is this a security issue on dev.day.com?

5. Re: Is this a security issue on dev.day.com?

Actions

More Like This

Legend