[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Hyland OnBase 19.x and below - XML External Entity (XXE) Injection
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Hyland OnBase 19.x and below - XML External Entity (XXE) Injection
- From: AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
- Date: Tue, 08 Sep 2020 00:56:24 +0000
CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)
Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase
Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and
OnBase 18 (tested: 18.0.0.32). OnBase Foundation EP2 and OnBase Foundation EP3
were not available to test, but Hyland's response indicates that they are not
likely to have fixed the vulnerabilities.
Credit
-------------------------------------------------
Adaptive Security Consulting
Vulnerability Summary
-------------------------------------------------
Because Hyland OnBase largely relies on client-side validation, the server-side
contains a number of critical XXE injection flaws, allowing remote attackers
read and write arbitrary files, as well as run arbitrary commands on the OnBase
server. All versions of OnBase were found to be equally vulnerable.
Technical Details
-------------------------------------------------
OnBase server allows XXE injection in multiple methods that accept and parse
user-provided XML.
Solution
-------------------------------------------------
Multiple methods within OnBase server accept XML-based input, like for managing
and creating users and patients, creating and editing charts and documents, and
editing and creating records. Several of these methods were found to allow XXE
injection because they fail to ignore the DTD specification, allowing attackers
to read and write arbitrary files on the server and run arbitrary commands.
Additional methods were found in other parts of the application, especially
those tied to server configuration. All instances found required the user to be
authenticated, but any authenticated user could call the methods.
Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of
vulnerabilities in medical records management and search applications being
considered by our client
15 May 2019 - The client was provided with the results of the assessment,
including POCs for a number of high and critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same
vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application
Security who said that fixing vulnerabilities was "writing custom code" and
that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's
Application Security Team via email on behalf of client, but attempts were
ignored
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/