Any type of invalid XML throws an SAXParser exception. Successful request returns a HTTP/1.1 204 No Content You can find more information on that here: In order to avoid this vulnerability, it's suggested to disable both doctype declaration and external general entities. I didn't feel comfortable doing further testing as I don't have a license, meaning I'm limited to testing against live targets. DTD repurposing is a relatively new technique, however in the near future we will be seeing a lot more of this attack vector due to XML parser restrictions/firewalled networks.
#AXWAY SECURE TRANSPORT VULNERABILITIES PASSWORD#
If a determined attacker were to get to know the Axway SecureTransport software, the chances of successfully chaining this bug are high. Axway PSG does not consider this to be a security vulnerability XSS vulnerability in custom change password RDST-2381 5.0.0: 5.0.0: new build of the custom accelerator, used by the customer, with fix included has been provided : Account enumeration vulnerability in custom password reset RDST-2884 5.0.0: 5.0.
#AXWAY SECURE TRANSPORT VULNERABILITIES SOFTWARE#
However because I don't have a license, I can't effectively audit this software from a whitebox perspective, which makes mapping out internal attack surface difficult. Judging by this, my only ideas on exploitation would be via blind SSRF or by repurposing an existing DTD on the filesystem to trigger an error with the file contents/result of our payload. This makes exploiting traditional XXE difficult. However, upon initial discovery, it appears as though most Axway SecureTransport installations have some type of firewall blocking all outgoing requests. NOTE: Because the server doesn't reflect the input anywhere, our only option is error-based XXE or out-of-band XXE. External Entity Injection (XXE) (hardened) This demonstrates that we can declare arbitrary entities.ģ. In the same error, we see that "thisdoesn't" was referenced, but not declared. "message" : "\n - with linked exception:\n"Īs you can see, the parser recognizes that "thisactuallyexists" was in fact declared. POST /api/v1.0/myself/resetPassword HTTP/1.1 Meaning that you can still trigger this vulnerability on updated installations if they have the v1.0, v1.1, v1.2 or v1.3 in the /api/ directory. It's worth noting that in version 5.4 the v1 API was deprecated. If executed properly, this vulnerablity can lead to local file disclosure, DOS or URI invocation attacks (e.g SSRF->RCE). (just use the dork dude)Īxway SecureTransport versions 5.3 through 5.0 (and potentially others) are vulnerable to an unauthenticated blind XML injection (& XXE) vulnerability in the resetPassword functionality via the REST API. It is designed to handle everything - from high-volume automated high speed secure file transfers between systems, sites, lines of business and external partners, to user-driven communications and mobile, folder- and portal-based file sharing." "Axway SecureTransport is a multi-protocol MFT gateway for securing, managing, and tracking file flows among people and applications inside your enterprise, and beyond your firewall to your user communities, the cloud and mobile devices. Google Dork: intitle:"Axway SecureTransport" "Login"Īuthor: Dominik Penner / zer0pwn of Underdog Security Title: Axway SecureTransport 5 Unauthenticated XML Injection / XXE This is a friendly neighborhood zeroday drop
0 kommentar(er)
