Researcher uncovers multiple SQL Injection Vulnerabilities in the DPA Presseportal of NewsAktuell

Researcher uncovers multiple SQL Injection Vulnerabilities in the DPA Presseportal of NewsAktuell

Vulnerability-Lab researcher Marco Onorati found multiple sql injection web vulnerabilities in the official german presseportal a journalists web application of newsaktuell (dpa). The vulnerabilities was reported within the same week to the news portal to protect the privacy of the registered journalists. Presseportal is lead by Newsaktuell of the DPA Press Agency and is an information portal for journalists in Germany. Presseportal offers normal journalists to publish their articles and spread them. They are offering abos to categorized news. The portal is one of the leading source to spread news information country wide and to the european union.

The vulnerabilities was located in the `id` and `city` values of the `iframe.htx` `userfeed.htx` `userchoosefeed.htx` `change_profile.htx` files. Remote attackers are able to execute own sql commands by manipulation of the GET or POST method request with the vulnerable id and city parameters. The request method to inject the sql command is GET or POST and the issue is located on the application-side of the `./services/content/` module. The sql vulnerability allows remote attackers to compromise the database management system that is connected to the web-application. 3 of the issues requires a low privileged user account. The other two issues are POST request sql injections vulnerabilities.

The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 9.1. Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.

Request Method(s):
[+] GET & POST

Vulnerable Module(s):
[+] ./services/content/
[+] ./services/

Vulnerable File(s):
[+] iframe.htx
[+] userfeed.htx
[+] userchoosefeed.htx
[+] change_profile.htx
[+] userindex.htx

Vulnerable Parameter(s):
[+] id
[+] city
[+] website_desc

Another client-side vulnerability was also reported. The vulnerability was located in the `page` value of the `location_search.php` file. Remote attackers are able to inject own malicious script codes to the client-side of the affected web-application. The request method to inject is POST and the attack vector is client-side. The attacker inject the payload in the page value to execute the code in the results page of the location search module.

Vulnerable Input-Fields: firstname, surname, street, zip, city, phone & company ( all editable fields)

PoC: Remote SQL Injection
http://www.presseportal.de/services/content/iframe.htx?id=0696afc466c0d3... INJECTION VULNERABILITY!]
http://www.presseportal.de/services/content/userfeed.htx?id=45c7c17402d1... INJECTION VULNERABILITY!]
http://www.presseportal.de/services/content/userchoosefeed.htx?id=1ac520... AND 1='1[SQL INJECTION VULNERABILITY!]

PoC: #2 Pre-Auth
UPDATE Blind sqli with output
goto
http://www.presseportal.de/services/change_profile.htx
change city to the following payload
Payload ', city=(SQL QUERY - [SQL INJECTION!]), company='
Note: You'll see the results in the city form ;)

PoC: #3 Pre-Auth
http://www.presseportal.de/services/content/userindex.htx
create user account
goto http://www.presseportal.de/services/content/userindex.htx
create a feed
insert needed parameters (website and a newscategory)
injectable field/parameter is : website_desc

PoC: Cross Site Scripting
http://www.presseportal.de/katalog.htx?action=showChar&char=%22%3E%3Cscr... SIDE CROSS SITE VULNERABILITY!]
http://www.presseportal.de/katalog/6694?action=showDate&date=20.01.2016%... SIDE CROSS SITE VULNERABILITY!]

The PressePortal security team took about 2-3 weeks to patch all the critical vulnerabilities in the newsaktuell (dpa) online service web-application. All reported bugs has been resolved within a short time period. At this part, we would like to say thanks to the presseportal developer team for cooperation and coordination of the vulnerability.

URL: http://www.vulnerability-lab.com/get_content.php?id=1676