By default anonymous attacker can execute arbitrary code via ScriptPostServlet
Closed this issue · 0 comments
0ang3el commented
Hello,
currently anonymous attacker can execute arbitrary shell commands through ScriptPostServlet
if Groovy Console is installed and not configured. Zero configuration is great for usability but catastrophic for security. It's explicitly written in documentation Allowed Groups - List of group names that are authorized to use the console. If empty, no authorization check is performed
. Nevertheless, I guess a lot of AEM installations are vulnerable where teams install Groovy Console, keep default coniguration, forget to block /bin/groovyconsole/post
on Dispatcher and leave it exposed to the Internet.
It would be great to make Groovy Console secure by default.
Thanks!