[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Hyland OnBase 19.x and below - Unrestricted File Upload
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Hyland OnBase 19.x and below - Unrestricted File Upload
- From: AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
- Date: Thu, 10 Sep 2020 11:05:32 +0000
CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Vendor
-------------------------------------------------
Hyland Software - (
https://www.hyland.com/en/
and
https://www.onbase.com/en/
)
Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase
Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and
OnBase 18 (tested: 18.0.0.32). OnBaseFoundation EP2 and OnBaseFoundation EP3
were not available to test, but Hyland's response indicates that they are not
likely to have fixed the vulnerability.
Credit
-------------------------------------------------
Adaptive Security Consulting
Vulnerability Summary
-------------------------------------------------
Because Hyland OnBase largely relies on client-side security, attackers can
upload arbitrary files and file types and bypass client-side file type
restrictions by directly querying the OnBase server.
Technical Details
-------------------------------------------------
Hyland OnBase allows malicious attackers to directly upload arbitrary files to
the OnBase server using file upload methods. The client-side sometimes
restricts file types, but the server-side does not allowing attackers with
direct server access to upload files of any type including malicious files
designed to compromise clients that view the data. OnBase also appears to lack
the proper mechanisms to verify that files are of the type claimed and instead
relies on file extensions, allowing attackers to upload malicious files whose
extensions do not match the actual file type. This allows a second vector for
malicious file upload and attacking clients.
Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been
rebuffed as not being something that they have to fix since fixing
vulnerabilities, according to the Director of Application Security, is
"creating custom code" and no known fix is in place. It is recommended that
users try to mitigate the vulnerability by ensuring that the OnBase server is
inaccessible to anyone other than trusted users. Antivirus should be used to
scan the file store. No other mitigations are currently available.
Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of
vulnerabilities in medical records management and search applications being
considered by our client
15 May 2019 - The client was provided with the results of the assessment,
including POCs for a number of high and critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same
vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application
Security who said that fixing vulnerabilities was "writing custom code" and
that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's
Application Security Team via email on behalf of client, but attempts were
ignored
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/