DDIVRT-2011-32 Axway SecureTransport '/icons/' Directory Traversal

Title

DDIVRT-2011-32 Axway SecureTransport '/icons/' Directory Traversal

Severity

High

Date Discovered

July 15, 2011

Discovered By

Digital Defense, Inc. Vulnerability Research Team
Credit: sxkeebler and r@b13$

Vulnerability Description

The Axway SecureTransport device contains a directory traversal in
the '/icons/' directory. An unauthenticated remote attacker can use
this vulnerability to obtain arbitrary files from the root file system
of the vulnerable host.

Solution Description

Axway Global Support has addressed this vulnerability in package: SecureTransport Server 4.8.2 Patch 12.

Patch download: Axway Customers can download the patch using their support account at https://support.axway.com
File Packages: STEE-4_8_2-Patch12-Windows-x86-Build420.jar
MD5 checksum: 0401efe41ee05f2ee25d3adddca113ba
Size: 928753 bytes

See the Patch Readme file which is available on the vendor website for additional information.

Tested Systems / Software

DDI tested: Axway SecureTransport 4.8.1
Axway tested: Axway tested all supported platforms for
SecureTransport 4.8.x, 4.9.x, 5.0, and 5.1 and determined
that the vulnerability only exists on the Windows platform
for SecureTransport 4.8.x

Vendor Contact

Vendor Name: Axway

Vendor Support
Email: [email protected]
Phone: +1-866-AXWAY-US or

• Go to https://support.axway.com
• Click the "Contact Axway Support" link to display a list of regional support contact phone numbers.