However, upon initial discovery, it appears as though most Axway SecureTransport installations have some type of firewall blocking all outgoing requests. NOTE: Because the server doesn't reflect the input anywhere, our only option is error-based XXE or out-of-band XXE. External Entity Injection (XXE) (hardened) This demonstrates that we can declare arbitrary entities.ģ. In the same error, we see that "thisdoesn't" was referenced, but not declared. "message" : "\n - with linked exception:\n"Īs you can see, the parser recognizes that "thisactuallyexists" was in fact declared. POST /api/v1.0/myself/resetPassword HTTP/1.1 Meaning that you can still trigger this vulnerability on updated installations if they have the v1.0, v1.1, v1.2 or v1.3 in the /api/ directory. It's worth noting that in version 5.4 the v1 API was deprecated. If executed properly, this vulnerablity can lead to local file disclosure, DOS or URI invocation attacks (e.g SSRF->RCE). (just use the dork dude)Īxway SecureTransport versions 5.3 through 5.0 (and potentially others) are vulnerable to an unauthenticated blind XML injection (& XXE) vulnerability in the resetPassword functionality via the REST API. It is designed to handle everything - from high-volume automated high speed secure file transfers between systems, sites, lines of business and external partners, to user-driven communications and mobile, folder- and portal-based file sharing." "Axway SecureTransport is a multi-protocol MFT gateway for securing, managing, and tracking file flows among people and applications inside your enterprise, and beyond your firewall to your user communities, the cloud and mobile devices. Google Dork: intitle:"Axway SecureTransport" "Login"Īuthor: Dominik Penner / zer0pwn of Underdog Security Title: Axway SecureTransport 5 Unauthenticated XML Injection / XXE This is a friendly neighborhood zeroday drop
0 kommentar(er)
