Regarding the semi-recent OnBase vulnerabilities

[Ken <catatonicprime () gmail com>]

In response to the recent OnBase v19.8.9.1000 and v18.0.0.32
vulnerability disclosures a few weeks ago, Hyland has maintained they
have been unable to replicate the issues. Moreover they assert that
the disclosures from Adaptive Security Consulting on behalf of one of
their mutual clients were never received. I am, probably like many of
us, wary of a corporate entity claiming a researcher is inaccurate in
their disclosures. I believe pretty fully that these vulnerabilities
exist in these specific releases.

But, I've spent some time hunting in a later version that I have
access to and I have been unable to find the somewhat rampant sounding
bugs. So I'm thinking they may be patched in later versions? I've been
hunting in the mobile endpoints, in the web endpoints, I haven't had
success intercepting traffic in thick client though - but that's
definitely gotta be a PEBKAC issue for myself.

So, my burning question(s) for the list is, what's the truth? How far
does it extend? Does it stop at the reported versions? Less than that?
Has anyone been able to independently verify them?

I'm hoping the researchers are willing to share additional details in
lieu of the continued response from Hyland that they too can not find
them; and I'm sure any additional guidance would be helpful to anyone
trying to patch manage these systems.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/