Hyland OnBase 19.x and below - CSRF

[Adaptive Security Consulting via Fulldisclosure <fulldisclosure () seclists org>]

CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)

Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase

Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBase 
Foundation EP2 and OnBase Foundation EP3 were not available to test, but Hyland's response indicates that they are not 
likely to have fixed the vulnerability.

Credit
-------------------------------------------------
Adaptive Security Consulting

Vulnerability Summary
-------------------------------------------------
Hyland OnBase's web client allows cross-site request forgery on the login page allowing an attacker to authenticate a 
user utilizing known credentials, allowing the attacker to gather data about the user, perform spoofing, and other 
activities.

Technical Details
-------------------------------------------------
Hyland OnBase's web login process fails to utilize a CSRF token, allowing an attacker to authenticate a victim 
utilizing attacker-known credentials (such as the default credentials "manager:wstinol" and "hsi:wstinol") when not 
using federated authentication. Once authenticated, the victim would be performing actions on-behalf of the attacker or 
the attacker can leverage the XSSi vulnerabilities to extract data from OnBase remotely, bypassing cross origin 
policies.

Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they 
have to fix since fixing vulnerabilities, according to the Director of Application Security, is "creating custom code" 
and no known fix is in place. It is recommended that users utilize federated authentication or, failing that, strong 
credential management processes to mitigate the risk of exploitation, and ensure that all default credentials are 
changed.

Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and 
search applications being considered by our client
15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and 
critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing 
vulnerabilities was "writing custom code" and that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's Application Security Team via email on 
behalf of client, but attempts were ignored

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/