Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-25254: Full Disclosure: Hyland OnBase 19.x and below

An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows SQL injection, as demonstrated by TestConnection_LocalOrLinkedServer, CreateFilterFriendlyView, or AddWorkViewLinkedServer.

CVE
#sql#vulnerability#web#auth

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

Full Disclosure mailing list archives****Hyland OnBase 19.x and below - SQL Injection

From: Adaptive Security Consulting via Fulldisclosure <fulldisclosure () seclists org>
Date: Wed, 02 Sep 2020 14:50:46 +0000

CVSSv3.1 Score

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vendor

Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)

Product

Hyland OnBase All derivatives based on OnBase

Versions Affected

All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBase Foundation EP2 and OnBase Foundation EP3 were not available to test, but Hyland’s response indicates that they are not likely to have fixed the vulnerabilities, especially given how numerous the instances of SQL injection are.

Credit

Adaptive Security Consulting

Vulnerability Summary

Because Hyland OnBase largely relies on client-side validation, the server-side contains a number of critical SQL injection vulnerabilities, including Connection String injection, that allow remote users to execute arbitrary SQL queries as the database administrator. Additionally, the Connection String injection vulnerabilities allow unauthenticated users to connect OnBase to arbitrary SQL servers and execute arbitrary commands as the database administrator. An attacker may leverage these vulnerabilities to modify, delete, insert, or read arbitrary data inside the database, to probe backend services, to connect OnBase to a malicious or attacker-controlled SQL server, and other tasks.

Technical Details

OnBase 18 contains a number of direct string concatenations to form SQL queries and contains considerably more SQL injection flaws than 19 and above, however, all versions contain string concatenations within a series of important and unprotected actions, such as: TestConnection_LocalOrLinkedServer, CreateFilterFriendlyView, and AddWorkViewLinkedServer. By sending a SOAP request to the OnBase server querying the vulnerable service method and using the injection point any user can execute arbitrary SQL queries as the SQL administrator. In total, over fifty vulnerable methods were found in OnBase 19, and several hundred in OnBase 18, with many methods containing multiple vulnerable parameters (e.g. "TableName", "ColumnName", "Name", "UserId", and “Password”). Several of the vulnerable methods do not require the user to be authenticated, most allowed any authenticated user to access them, and a few were only available to people with special (but not administrative) permissions.

Solution

Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they have to fix since fixing vulnerabilities, according to the Director of Application Security, is “creating custom code” and no known fix is in place. It is recommended that users try to mitigate the vulnerability by ensuring that the OnBase server is inaccessible to anyone other than trusted users and that a WAF be used (note that OnBase can use “optimized” communication that is pure binary – if this is used, it will be much harder to configure the WAF to protect against these vulnerabilities).

Timeline

07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and search applications being considered by our client 15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and critical vulnerabilities 12 July 2019 - Client asked for more information and demonstrations 01 October 2019 - Client asked to test latest version of Hyland software 15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing vulnerabilities was “writing custom code” and that Hyland “doesn’t write custom code” 21 April 2020 - Adaptive Security Consulting attempted to contact Hyland’s Application Security Team via email on behalf of client, but attempts were ignored

_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

  • Hyland OnBase 19.x and below - SQL Injection Adaptive Security Consulting via Fulldisclosure (Sep 04)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907