5 Replies Latest reply on Jul 24, 2013 5:12 AM by Tim Goodman

    Is this a security issue on dev.day.com?

    Tim Goodman Level 1

      Here's a question about dev.day.com, from the security checklist:

       

      http://dev.day.com/docs/en/cq/current/deploying/security_checklist.html

       

      I noticed if you add a selector to the URL, e.g.

       

      http://dev.day.com/docs/en/cq/current/deploying/security_checklist.123.html

       

      It appears to hit the publish server (assuming it hasn't been hit before).  Has the DoS attack prevent script been implemented on this site?

       

      Also, you can just add a URL parameter to hit the publisher:

       

      http://dev.day.com/docs/en/cq/current/deploying/security_checklist.html?a=b

       

      Shouldn't it be possible to block unknown query params or uncacheable requests via the dispatcher or webserver?

       

      Thanks!