[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] Navy Federal Reflective Cross Site Scripting (XSS)
From: AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2020-09-29 18:12:01
Message-ID: w4ZntEGOu1ooXshNRwGe2a-DsEzi_WxhYr0ddtpRJHEKpg6Q2wNlKUQOInEOPj8rGPnnOnK4ZUAms1GIhfjJKXGRRfC27POk4W5h9te1r6w= () protonmail ! ch
[Download RAW message or body]
Good evening. Because of the nature of the software and vulnerabilities we have been very \
cautious about releasing too much information so that people cannot easily create exploits. We \
have privately provided some examples, but we are being very cautious and do not want to \
provide proof of concept or other information publicly beyond what our lawyers advised us on \
already. We would like to point you to the FullDisclosure post "[FD] Navy Federal Reflective \
Cross Site Scripting (XSS)" (18 September) from another security researcher references our \
disclosures and states that NavyFederal.org was vulnerable to XSS, citing our work in their \
timeline, leading us to believe that NavyFederal.org is or was using OnBase.
While we do not know what version of the software you have, we did examine two major versions \
of the software and noted that they both had a large number of vulnerabilities. When we tested \
19.8.9.1000, we found that it had fewer instances of SQL injection than 18.0.0.32, but there \
were still large segments of the software that was vulnerable because they still make use of \
String.format and string concatenation. Both versions were equally vulnerable to authorization \
bypass, logging issues, and the other issues.
We mostly focused on the webserver bypassing the clients completely because our customer's \
network and needs. We did not do as much testing on the webclient and did not use the mobile \
client because our customer wasn't going to use it. If you are having trouble, first configure \
your Unity client to proxy traffic through RAT, ZAP, or Burp Suite. We also recommend using \
CodeReflect, dotPeek, or a similar decompiler and search for things like String.format and \
their exceptions because it makes it easier to find the vulnerabilities and then create your \
exploits.
We have been told that Hyland has since had a third party perform examination and found the \
same general issues. We have also been asked repeatedly if Hyland has contacted us even now and \
they have not.
Adaptive Security Consulting
------- Original Message -------
On Tuesday, September 29, 2020 5:06 PM, Ken <catatonicprime@gmail.com> wrote:
> Some discussion regarding the onbase vulnerabilities. I should have
> CC'd you on the FD list to be sure you received it. So sorry to just
> kinda forward it on to you.
>
> https://seclists.org/fulldisclosure/2020/Sep/48
>
> On the bright side, feel free to discuss privately if you prefer. Let
> me know if you need me to up a new gpg key, I let mine expire as no
> one I know actually uses them.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic