Good evening. Because of the nature of the software and vulnerabilities we have been very cautious about releasing too much information so that people cannot easily create exploits. We have privately provided some examples, but we are being very cautious and do not want to provide proof of concept or other information publicly beyond what our lawyers advised us on already. We would like to point you to the FullDisclosure post "[FD] Navy Federal Reflective Cross Site Scripting (XSS)" (18 September) from another security researcher references our disclosures and states that NavyFederal.org was vulnerable to XSS, citing our work in their timeline, leading us to believe that NavyFederal.org is or was using OnBase.
While we do not know what version of the software you have, we did examine two major versions of the software and noted that they both had a large number of vulnerabilities. When we tested 19.8.9.1000, we found that it had fewer instances of SQL injection than 18.0.0.32, but there were still large segments of the software that was vulnerable because they still make use of String.format and string concatenation. Both versions were equally vulnerable to authorization bypass, logging issues, and the other issues. We mostly focused on the webserver bypassing the clients completely because our customer's network and needs. We did not do as much testing on the webclient and did not use the mobile client because our customer wasn't going to use it. If you are having trouble, first configure your Unity client to proxy traffic through RAT, ZAP, or Burp Suite. We also recommend using CodeReflect, dotPeek, or a similar decompiler and search for things like String.format and their exceptions because it makes it easier to find the vulnerabilities and then create your exploits. We have been told that Hyland has since had a third party perform examination and found the same general issues. We have also been asked repeatedly if Hyland has contacted us even now and they have not. Adaptive Security Consulting ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, September 29, 2020 5:06 PM, Ken <[email protected]> wrote: > Some discussion regarding the onbase vulnerabilities. I should have > CC'd you on the FD list to be sure you received it. So sorry to just > kinda forward it on to you. > > https://seclists.org/fulldisclosure/2020/Sep/48 > > On the bright side, feel free to discuss privately if you prefer. Let > me know if you need me to up a new gpg key, I let mine expire as no > one I know actually uses them. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
