Security issues for CQ/AEM Instances
Contact me at LinkedIn  RailsZilla at Facebook  RailsZilla at twitter   google +1  Contact me at Xing  connect me at github

Security issues for CQ/AEM Instances

Posted in Ruby, Start

Because I was checking some security issues in my job, I was concerned with exploits for the Adobe AEM system.
We can find a lot of old Adobe AEM Versions out there. To find Websites using Adobe AEM, just go to google and enter:

1
inurl:content/geometrixx

By doing this, we will get a lot of results with Websites using Adobe AEM – also with preinstalled example content!

When I tried this search, there were over 270.000 Websites.
Most of them are vulnerable!

adobe aem security

Default login screen

The first step for a security test is the default login screen. Her we can check whether the default usernames and passwords are being used or not.
We just try some URLs to get it on:

1
2
3
4
5
6
7
8
/system/console [Felix Web Console]
/system/admin [CQSE; servlet engine]
/system/sling/cqform/defaultlogin.html
/crx/de/index.jsp OR /crx/ [CRX Web Console]
/etc/packages.html
/content/geometrixx
/libs/cq/core/content/login.html
/libs/cq/core/content/welcome.html

Standard credentials

If we have success, what credentials should we use?
I suggest the standard credentials which works in many cases.
Default passwords for Adobe CQ installs are:

1
2
3
4
5
6
admin : admin
author : author
anonymous : anonymous
replication-receiver : replication-receiver
jdoe@geometrixx.info : jdoe
aparker@geometrixx.info : aparker

Anonymous access

Now we can also check for anonymous access. We check for below mentioned paths:

1
2
3
/etc/packages (packages stored here)
/etc/replication (encrypted transport of user passwords.)
/apps (application resides here)

Adobe AEM Version

Now we might want to find the Version which is used in several Adobe AEM instances.
Here is a Ruby script that grabs the version number of your cq instance from the welcome screen.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
require "rubygems"
require "net/http"
require "uri"

if ARGV.length < 3
    puts "cqversion.rb username password http://YOURHOST:4502"
else
    username = ARGV[0]
    password = ARGV[1]
    host = ARGV[2]
    uri = URI.parse(host+"/libs/cq/core/content/welcome.html")
    http = Net::HTTP.new(uri.host, uri.port)
    request = Net::HTTP::Get.new(uri.request_uri)
    request.basic_auth username, password
    response = http.request(request)

    if response.code == "200"
        puts /Version [0-9\.a-zA-Z ]*/.match(response.body)
    else
        puts "failed to get version number - http error code: ", response.code
    end

end

Happy hacking ;-)

Tags: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Please enter a secure code to see if you are a spammer ;-)

 

Copyright © 2011-2017  - RailsZilla – Ruby on Rails tutorials, tips and tricks All rights reserved. | Imprint | Privacy