This vulnerability can lead to local file disclosure, DoS, or URI invocation. uploadFile ( '/', 'LICENSE', ) LicenseĬopyright (c) 2016 Axway & licensed under the Apache License. DISPUTED Axway SecureTransport 5.x through 5.3 (or 5.x through 5.5 with certain API configuration) is vulnerable to unauthenticated blind XML injection (and XXE) in the resetPassword functionality via the REST API. API endpoints can vary from /api/v1.0, /api/v1.1, /api/v1.2, /api/v1.3, /api/v1.'use strict' const FilesAPI = require ( 'securetransport-files' ) const fs = require ( 'fs' ) const files = new FilesAPI ( ', 'username', 'password' ) files. Any type of invalid XML throws an SAXParser exception. Successful request returns a HTTP/1.1 204 No Content You can find more information on that here: In order to avoid this vulnerability, it's suggested to disable both doctype declaration and external general entities. I didn't feel comfortable doing further testing as I don't have a license, meaning I'm limited to testing against live targets.
![axway secure transport login axway secure transport login](https://s3.manualzz.com/store/data/028650268_1-69613704886155ebf05935d172705024.png)
DTD repurposing is a relatively new technique, however in the near future we will be seeing a lot more of this attack vector due to XML parser restrictions/firewalled networks. If a determined attacker were to get to know the Axway SecureTransport software, the chances of successfully chaining this bug are high.
Axway secure transport login software#
However because I don't have a license, I can't effectively audit this software from a whitebox perspective, which makes mapping out internal attack surface difficult. Judging by this, my only ideas on exploitation would be via blind SSRF or by repurposing an existing DTD on the filesystem to trigger an error with the file contents/result of our payload. This makes exploiting traditional XXE difficult. However, upon initial discovery, it appears as though most Axway SecureTransport installations have some type of firewall blocking all outgoing requests. NOTE: Because the server doesn't reflect the input anywhere, our only option is error-based XXE or out-of-band XXE. External Entity Injection (XXE) (hardened) This demonstrates that we can declare arbitrary entities.ģ. SecureTransport allows organizations to adeptly control and manage the transfer of files inside and outside of the corporate firewall in support of mission-critical business processes, while satisfying policy and regulatory compliance requirements. Please note: Equity Plan Advisory Services Clients should contact a member of your service team for assistance. Axway SecureTransport is part of the Axway family of managed file transfer (MFT) products.
![axway secure transport login axway secure transport login](https://docplayer.net/docs-images/40/1716901/images/page_6.jpg)
In the same error, we see that "thisdoesn't" was referenced, but not declared. If you are unable to login for any reason, please contact the UBS Operations Center at 1-20. "message" : "\n - with linked exception:\n"Īs you can see, the parser recognizes that "thisactuallyexists" was in fact declared. POST /api/v1.0/myself/resetPassword HTTP/1.1
![axway secure transport login axway secure transport login](https://www.saashub.com/images/app/screenshots/17/29b542a60ef7/landing-medium.jpg)
Meaning that you can still trigger this vulnerability on updated installations if they have the v1.0, v1.1, v1.2 or v1.3 in the /api/ directory. It's worth noting that in version 5.4 the v1 API was deprecated. If executed properly, this vulnerablity can lead to local file disclosure, DOS or URI invocation attacks (e.g SSRF->RCE). (just use the dork dude)Īxway SecureTransport versions 5.3 through 5.0 (and potentially others) are vulnerable to an unauthenticated blind XML injection (& XXE) vulnerability in the resetPassword functionality via the REST API. It is designed to handle everything - from high-volume automated high speed secure file transfers between systems, sites, lines of business and external partners, to user-driven communications and mobile, folder- and portal-based file sharing." "Axway SecureTransport is a multi-protocol MFT gateway for securing, managing, and tracking file flows among people and applications inside your enterprise, and beyond your firewall to your user communities, the cloud and mobile devices. Google Dork: intitle:"Axway SecureTransport" "Login"Īuthor: Dominik Penner / zer0pwn of Underdog Security Title: Axway SecureTransport 5 Unauthenticated XML Injection / XXE
![axway secure transport login axway secure transport login](https://static.wixstatic.com/media/6851b6_4c6305881ce94418b0fb9d513a24a503~mv2.png)
This is a friendly neighborhood zeroday drop