[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Hyland OnBase 19.x and below - Unrestricted File Upload
From: AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2020-09-10 11:05:32
Message-ID: GsljVZnmGU27Wjp2RcuFahoc1Opl-yurbLT7_WDm7lpgfnJb5cuZSFDhtMdYfVHQF1qgZ6xsyxah5Rzc_M1heU8u42-y0mB8ko0-eJp4PbA= () protonmail ! ch
[Download RAW message or body]
CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Vendor
-------------------------------------------------
Hyland Software - (
https://www.hyland.com/en/
and
https://www.onbase.com/en/
)
Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase
Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 \
(tested: 18.0.0.32). OnBaseFoundation EP2 and OnBaseFoundation EP3 were not available to test, \
but Hyland's response indicates that they are not likely to have fixed the vulnerability.
Credit
-------------------------------------------------
Adaptive Security Consulting
Vulnerability Summary
-------------------------------------------------
Because Hyland OnBase largely relies on client-side security, attackers can upload arbitrary \
files and file types and bypass client-side file type restrictions by directly querying the \
OnBase server.
Technical Details
-------------------------------------------------
Hyland OnBase allows malicious attackers to directly upload arbitrary files to the OnBase \
server using file upload methods. The client-side sometimes restricts file types, but the \
server-side does not allowing attackers with direct server access to upload files of any type \
including malicious files designed to compromise clients that view the data. OnBase also \
appears to lack the proper mechanisms to verify that files are of the type claimed and instead \
relies on file extensions, allowing attackers to upload malicious files whose extensions do not \
match the actual file type. This allows a second vector for malicious file upload and attacking \
clients.
Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being \
something that they have to fix since fixing vulnerabilities, according to the Director of \
Application Security, is "creating custom code" and no known fix is in place. It is recommended \
that users try to mitigate the vulnerability by ensuring that the OnBase server is inaccessible \
to anyone other than trusted users. Antivirus should be used to scan the file store. No other \
mitigations are currently available.
Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical \
records management and search applications being considered by our client
15 May 2019 - The client was provided with the results of the assessment, including POCs for a \
number of high and critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application Security who \
said that fixing vulnerabilities was "writing custom code" and that Hyland "doesn't write \
custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's Application Security \
Team via email on behalf of client, but attempts were ignored
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic