Hyland has identified an important security issue in the Unity Client in versions 10.0 and higher that may allow the execution of man-in-the-middle attacks. A default configuration setting in the Unity Client configuration file permits the use of unverified certificates when communicating with an application server. Allowing the use of unverified certificates can permit a malicious server to impersonate an OnBase application server and record data traffic before passing it on to the actual application server. The user will not be informed that the server’s SSL certificate is invalid or unverifiable.
Jul 19, 2013
OnBase Tips & Common Fixes