Re: Navy Federal Reflective Cross Site Scripting (XSS)

[AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure () seclists org>]

Good evening. Because of the nature of the software and vulnerabilities we have been very cautious about releasing too 
much information so that people cannot easily create exploits. We have privately provided some examples, but we are 
being very cautious and do not want to provide proof of concept or other information publicly beyond what our lawyers 
advised us on already. We would like to point you to the FullDisclosure post "[FD] Navy Federal Reflective Cross Site 
Scripting (XSS)" (18 September) from another security researcher references our disclosures and states that 
NavyFederal.org was vulnerable to XSS, citing our work in their timeline, leading us to believe that NavyFederal.org is 
or was using OnBase.

While we do not know what version of the software you have, we did examine two major versions of the software and noted 
that they both had a large number of vulnerabilities. When we tested 19.8.9.1000, we found that it had fewer instances 
of SQL injection than 18.0.0.32, but there were still large segments of the software that was vulnerable because they 
still make use of String.format and string concatenation. Both versions were equally vulnerable to authorization 
bypass, logging issues, and the other issues.

We mostly focused on the webserver bypassing the clients completely because our customer's network and needs. We did 
not do as much testing on the webclient and did not use the mobile client because our customer wasn't going to use it. 
If you are having trouble, first configure your Unity client to proxy traffic through RAT, ZAP, or Burp Suite. We also 
recommend using CodeReflect, dotPeek, or a similar decompiler and search for things like String.format and their 
exceptions because it makes it easier to find the vulnerabilities and then create your exploits.

We have been told that Hyland has since had a third party perform examination and found the same general issues. We 
have also been asked repeatedly if Hyland has contacted us even now and they have not.

Adaptive Security Consulting

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, September 29, 2020 5:06 PM, Ken <catatonicprime () gmail com> wrote:

> Some discussion regarding the onbase vulnerabilities. I should have
> CC'd you on the FD list to be sure you received it. So sorry to just
> kinda forward it on to you.
>
> https://seclists.org/fulldisclosure/2020/Sep/48
>
> On the bright side, feel free to discuss privately if you prefer. Let
> me know if you need me to up a new gpg key, I let mine expire as no
> one I know actually uses them.



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/