[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Navy Federal Reflective Cross Site Scripting (XSS)

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: Re: [FD] Navy Federal Reflective Cross Site Scripting (XSS)
From: AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Tue, 29 Sep 2020 18:12:01 +0000

Good evening. Because of the nature of the software and vulnerabilities we have 
been very cautious about releasing too much information so that people cannot 
easily create exploits. We have privately provided some examples, but we are 
being very cautious and do not want to provide proof of concept or other 
information publicly beyond what our lawyers advised us on already. We would 
like to point you to the FullDisclosure post "[FD] Navy Federal Reflective 
Cross Site Scripting (XSS)" (18 September) from another security researcher 
references our disclosures and states that NavyFederal.org was vulnerable to 
XSS, citing our work in their timeline, leading us to believe that 
NavyFederal.org is or was using OnBase.

While we do not know what version of the software you have, we did examine two 
major versions of the software and noted that they both had a large number of 
vulnerabilities. When we tested 19.8.9.1000, we found that it had fewer 
instances of SQL injection than 18.0.0.32, but there were still large segments 
of the software that was vulnerable because they still make use of 
String.format and string concatenation. Both versions were equally vulnerable 
to authorization bypass, logging issues, and the other issues.

We mostly focused on the webserver bypassing the clients completely because our 
customer's network and needs. We did not do as much testing on the webclient 
and did not use the mobile client because our customer wasn't going to use it. 
If you are having trouble, first configure your Unity client to proxy traffic 
through RAT, ZAP, or Burp Suite. We also recommend using CodeReflect, dotPeek, 
or a similar decompiler and search for things like String.format and their 
exceptions because it makes it easier to find the vulnerabilities and then 
create your exploits.

We have been told that Hyland has since had a third party perform examination 
and found the same general issues. We have also been asked repeatedly if Hyland 
has contacted us even now and they have not.

Adaptive Security Consulting

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, September 29, 2020 5:06 PM, Ken <catatonicprime@xxxxxxxxx> wrote:

> Some discussion regarding the onbase vulnerabilities. I should have
> CC'd you on the FD list to be sure you received it. So sorry to just
> kinda forward it on to you.
>
> https://seclists.org/fulldisclosure/2020/Sep/48
>
> On the bright side, feel free to discuss privately if you prefer. Let
> me know if you need me to up a new gpg key, I let mine expire as no
> one I know actually uses them.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Critical Information Disclosure on WP Courses plugin <= 2.0.29 exposes private course videos and materials
Previous by thread: [FD] Navy Federal Reflective Cross Site Scripting (XSS)
Next by thread: [FD] APPLE-SA-2020-09-16-1 iOS 14.0 and iPadOS 14.0
Index(es):
- Date
- Thread