#AXWAY SECURE TRANSPORT SOFTWARE#
This individual will be part of an operations team whose responsibility will be to monitor, support, administer and manage all aspects of the Axway Secure Transport software within Experian Global File Transfer. Learn more at or visit our global content hub at our global news blog for the latest news and insights from the Group We are listed on the London Stock Exchange (EXPN) and are a constituent of the FTSE 100 Index. We have 17,800 people operating across 44 countries, and every day we’re investing in new technologies, talented people and innovation to help all our clients maximize every opportunity. We help individuals to take financial control and access financial services, businesses to make smarter decisions and thrive, lenders to lend more responsibly, and organizations to prevent identity fraud and crime. During life’s big moments - from buying a home or a car to sending a child to college to growing a business by connecting with new customers - we empower consumers and our clients to manage their data with confidence. API endpoints can vary from /api/v1.0, /api/v1.1, /api/v1.2, /api/v1.3, /api/v1.Experian is the world’s leading global information services company. Any type of invalid XML throws an SAXParser exception. Successful request returns a HTTP/1.1 204 No Content You can find more information on that here: In order to avoid this vulnerability, it's suggested to disable both doctype declaration and external general entities. I didn't feel comfortable doing further testing as I don't have a license, meaning I'm limited to testing against live targets. DTD repurposing is a relatively new technique, however in the near future we will be seeing a lot more of this attack vector due to XML parser restrictions/firewalled networks. If a determined attacker were to get to know the Axway SecureTransport software, the chances of successfully chaining this bug are high. However because I don't have a license, I can't effectively audit this software from a whitebox perspective, which makes mapping out internal attack surface difficult. Judging by this, my only ideas on exploitation would be via blind SSRF or by repurposing an existing DTD on the filesystem to trigger an error with the file contents/result of our payload. This makes exploiting traditional XXE difficult. However, upon initial discovery, it appears as though most Axway SecureTransport installations have some type of firewall blocking all outgoing requests. NOTE: Because the server doesn't reflect the input anywhere, our only option is error-based XXE or out-of-band XXE. External Entity Injection (XXE) (hardened) This demonstrates that we can declare arbitrary entities.ģ. In the same error, we see that "thisdoesn't" was referenced, but not declared. "message" : "\n - with linked exception:\n"Īs you can see, the parser recognizes that "thisactuallyexists" was in fact declared. POST /api/v1.0/myself/resetPassword HTTP/1.1 Meaning that you can still trigger this vulnerability on updated installations if they have the v1.0, v1.1, v1.2 or v1.3 in the /api/ directory. It's worth noting that in version 5.4 the v1 API was deprecated. If executed properly, this vulnerablity can lead to local file disclosure, DOS or URI invocation attacks (e.g SSRF->RCE). (just use the dork dude)Īxway SecureTransport versions 5.3 through 5.0 (and potentially others) are vulnerable to an unauthenticated blind XML injection (& XXE) vulnerability in the resetPassword functionality via the REST API. It is designed to handle everything - from high-volume automated high speed secure file transfers between systems, sites, lines of business and external partners, to user-driven communications and mobile, folder- and portal-based file sharing." "Axway SecureTransport is a multi-protocol MFT gateway for securing, managing, and tracking file flows among people and applications inside your enterprise, and beyond your firewall to your user communities, the cloud and mobile devices. Google Dork: intitle:"Axway SecureTransport" "Login"Īuthor: Dominik Penner / zer0pwn of Underdog Security Title: Axway SecureTransport 5 Unauthenticated XML Injection / XXE This is a friendly neighborhood zeroday drop
0 kommentar(er)
