When Audits Fail From Pre-Auth SSRF to RCE in TRUfusion Ente...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rcesecurity.com/2026/02/when-audits-fail-from-pre-auth-ssrf-to-rce-in-trufusion-enterprise/
• Blog Title: When Audits Fail: From Pre-Auth SSRF to RCE in TRUfusion Enterprise
• Suggested Section: Pentesting Web -> SSRF (Server Side Request Forgery) (add a subsection on reverse-proxy/absolute-URL request-line SSRF / unintended forward proxy) and/or Pentesting Web -> File Upload / Path traversal -> Arbitrary file write to RCE (JSP/Tomcat webroot placement); optionally cross-link from HTTP Request Smuggling/Desync or Special HTTP headers/request-line quirks if a relevant page exists

🎯 Content Summary

The post describes a pre-auth remote code execution (RCE) chain against Rocket Software TRUfusion Enterprise by combining: (1) a pre-auth SSRF / open forward proxy behavior caused by a reverse-proxy request-line parsing/misconfiguration that accepts absolute URLs in the HTTP request line (CVE-2025-32355), and (2) a path traversal leading to arbitrary file write in a localhost-bound Axis2 SOAP upload service (CVE-2025-59793), typically made practical by default admin credentials (admin:trubiquity...

🔧 Technical Details

Reverse-proxy SSRF via absolute-URL request line: If a reverse proxy accepts absolute URLs in the HTTP request line (e.g., GET http://host/path HTTP/1.1) and uses that value to route/fetch, it can become an unauthenticated forward proxy. This yields full-read SSRF (the response is returned) and can reach internal and even localhost-bound services.

SOAP upload path traversal to arbitrary file write: Upload APIs that accept a destination directory parameter (e.g., jobDirectory) must block traversal sequences like ../. If not, combining attacker-controlled directory + file name (e.g., archiveName) + content (often base64, e.g., dataHandler) can produce an arbitrary file write primitive.

File-write to RCE via webroot placement: If the target executes files based on location/extension (e.g., JSP under Tomcat webapps), writing a malicious .jsp into a ser...

🤖 Agent Actions

Summary:

• Added guidance on exploiting reverse proxies that accept absolute-form request lines, turning them into open forward proxies for full-read SSRF (including localhost pivoting), plus mitigation notes in the SSRF methodology.
• Documented Axis2 SOAP uploadFile traversal to arbitrary JSP write under Tomcat webapps (with default creds and localhost exposure considerations) in the file upload page, providing a concise exploitation template.

Testing:

• Not run (documentation-only changes).

Files Modified:

• src/pentesting-web/ssrf-server-side-request-forgery/README.md
• src/pentesting-web/file-upload/README.md

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rcesecurity.com/2026/02/when-audits-fail-from-pre-auth-ssrf-to-rce-in-trufusion-enterprise/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> SSRF (Server Side Request Forgery) (add a subsection on reverse-proxy/absolute-URL request-line SSRF / unintended forward proxy) and/or Pentesting Web -> File Upload / Path traversal -> Arbitrary file write to RCE (JSP/Tomcat webroot placement); optionally cross-link from HTTP Request Smuggling/Desync or Special HTTP headers/request-line quirks if a relevant page exists".

Repository Maintenance:

• MD Files Formatting: 948 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0