When Audits Fail Four Critical Pre-Auth Vulnerabilities in T...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/
• Blog Title: When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise
• Suggested Section: Pentesting Web -> Path Traversal (LFI), Session/Cookie Abuse (Token Replay & Cookie Forgery), and File Upload to RCE (JSP Webshell)

🎯 Content Summary

Target: Rocket Software TRUfusion Enterprise. The post discloses four unauthenticated, trivially exploitable issues that together enable arbitrary file read, full authentication bypass, pre‑auth RCE, and large‑scale PII leakage. Vendor released fixes; affected versions are in the advisories:
• CVE-2025-27222: advisory
• CVE-2025-27223:

File Upload → RCE

• File: src/pentesting-web/file-upload/README.md
• What I added:
  • New subsection: “GZIP-compressed body upload + path traversal in destination param → JSP webshell RCE (Tomcat)”
    • General exploitation flow where the server writes the raw, gzipped request body to a filesystem path constructed from attacker-controlled parameters (e.g., token + file) without normalization
    • Full HTTP PoC showing Content-Encoding: gzip and traversal into Tomcat’s webapps path to drop shell.jsp, then execute via GET
    • Notes (e.g., Hackvertor for gzip body crafting) and mitigations
  • Added the blog URL into the References section
• Implementation:
  • Inserted the new section before “## Tools”
  • Added reference at the top of the References section
• Tools Calls:
  • modify_file on src/pentesting-web/file-upload/README.md (twice)

3. Hacking with Cookies

• File: src/pentesting-web/hacking-with-cookies/README.md
• What I added:
  • New subsection: “Static-key cookie forgery (symmetric encryption of predictable IDs)”
    • Pattern: encryption of predictable user IDs (e.g., numeric) using a static symmetric key, returning hex/base64 for the cookie
    • Steps to test and forge cookies
    • A minimal Java PoC showing IDEA + hex encoding, included in an expandable details block
    • Example ciphertexts (hex) for userIDs 1 and 2
    • Defenses/best practices
  • Added the blog URL into the References section
• Implementation:
  • Inserted the new subsection right before the References
  • Added the blog reference at the top of the References list
• Tools Calls:
  • modify_file on src/pentesting-web/hacking-with-cookies/README.md (twice)

Notes:

• I kept content product-agnostic and focused on reusable exploitation patterns, with example requests and tips (e.g., gzip crafting via Hackvertor).
• I avoided duplicating existing techniques and extended the existing sections in a way consistent with HackTricks’ structure and style.
• I did not add a separate section for the unauthenticated PII enumeration endpoint; it falls under misconfigured/broken access control and is already broadly covered in IDOR/Broken Access Control methodology pages.

References added:

• When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise (https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 896
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Path Traversal (LFI), Session/Cookie Abuse (Token Replay & Cookie Forgery), and File Upload to RCE (JSP Webshell)".

Repository Maintenance:

• MD Files Formatting: 896 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0