what you don't know can hurt you

Hyland OnBase Arbitrary File Upload

Hyland OnBase Arbitrary File Upload
Posted Sep 11, 2020
Authored by Adaptive Security Consulting

All versions up to and prior to Hyland OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32) suffer from an arbitrary file upload vulnerability.

tags | advisory, arbitrary, file upload
MD5 | c009d2120232537634c05881dd75c693

Hyland OnBase Arbitrary File Upload

Change Mirror Download
CVSSv3.1 Score

-------------------------------------------------

AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Vendor

-------------------------------------------------

Hyland Software - (
https://www.hyland.com/en/
and
https://www.onbase.com/en/
)

Product

-------------------------------------------------

Hyland OnBase

All derivatives based on OnBase

Versions Affected

-------------------------------------------------

All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBaseFoundation EP2 and OnBaseFoundation EP3 were not available to test, but Hyland's response indicates that they are not likely to have fixed the vulnerability.

Credit

-------------------------------------------------

Adaptive Security Consulting

Vulnerability Summary

-------------------------------------------------

Because Hyland OnBase largely relies on client-side security, attackers can upload arbitrary files and file types and bypass client-side file type restrictions by directly querying the OnBase server.

Technical Details

-------------------------------------------------

Hyland OnBase allows malicious attackers to directly upload arbitrary files to the OnBase server using file upload methods. The client-side sometimes restricts file types, but the server-side does not allowing attackers with direct server access to upload files of any type including malicious files designed to compromise clients that view the data. OnBase also appears to lack the proper mechanisms to verify that files are of the type claimed and instead relies on file extensions, allowing attackers to upload malicious files whose extensions do not match the actual file type. This allows a second vector for malicious file upload and attacking clients.

Solution

-------------------------------------------------

Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they have to fix since fixing vulnerabilities, according to the Director of Application Security, is "creating custom code" and no known fix is in place. It is recommended that users try to mitigate the vulnerability by ensuring that the OnBase server is inaccessible to anyone other than trusted users. Antivirus should be used to scan the file store. No other mitigations are currently available.

Timeline

-------------------------------------------------

07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and search applications being considered by our client

15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and critical vulnerabilities

12 July 2019 - Client asked for more information and demonstrations

01 October 2019 - Client asked to test latest version of Hyland software

15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities

March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing vulnerabilities was "writing custom code" and that Hyland "doesn't write custom code"

21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's Application Security Team via email on behalf of client, but attempts were ignored


Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close