-------------------------------------------------
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and
https://www.onbase.com/en/)
Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase
Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested:
19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBase Foundation
EP2 and OnBase Foundation EP3 were not available to test, but
Hyland's response indicates that they are not likely to have fixed
the vulnerabilities.
Credit
-------------------------------------------------
Adaptive Security Consulting
Vulnerability Summary
-------------------------------------------------
Because Hyland OnBase largely relies on client-side validation, the
server-side contains a number of critical XXE injection flaws,
allowing remote attackers read and write arbitrary files, as well
as run arbitrary commands on the OnBase server. All versions of
OnBase were found to be equally vulnerable.
Technical Details
-------------------------------------------------
OnBase server allows XXE injection in multiple methods that accept
and parse user-provided XML.
Solution
-------------------------------------------------
Multiple methods within OnBase server accept XML-based input, like
for managing and creating users and patients, creating and editing
charts and documents, and editing and creating records. Several of
these methods were found to allow XXE injection because they fail
to ignore the DTD specification, allowing attackers to read and
write arbitrary files on the server and run arbitrary commands.
Additional methods were found in other parts of the application,
especially those tied to server configuration. All instances found
required the user to be authenticated, but any authenticated user
could call the methods.
Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of
vulnerabilities in medical records management and search
applications being considered by our client
15 May 2019 - The client was provided with the results of the
assessment, including POCs for a number of high and critical
vulnerabilities
12 July 2019 - Client asked for more information and
demonstrations
01 October 2019 - Client asked to test latest version of Hyland
software
15 October 2019 - Client was informed that EP1 contained many of
the same vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of
Application Security who said that fixing vulnerabilities was
"writing custom code" and that Hyland "doesn't write custom
code"
21 April 2020 - Adaptive Security Consulting attempted to contact
Hyland's Application Security Team via email on behalf of client,
but attempts were ignored
Read more https://packetstormsecurity.com/files/159108/hylandonbase-xxe.txt
