By default anonymous attacker can execute arbitrary code via ScriptPostServlet

Question

By default anonymous attacker can execute arbitrary code via ScriptPostServlet

Closed this issue 5 years ago · 0 comments

Hello,

currently anonymous attacker can execute arbitrary shell commands through ScriptPostServlet if Groovy Console is installed and not configured. Zero configuration is great for usability but catastrophic for security. It's explicitly written in documentation Allowed Groups - List of group names that are authorized to use the console. If empty, no authorization check is performed. Nevertheless, I guess a lot of AEM installations are vulnerable where teams install Groovy Console, keep default coniguration, forget to block /bin/groovyconsole/post on Dispatcher and leave it exposed to the Internet.

It would be great to make Groovy Console secure by default.

Thanks!