The telecoms company has addressed the issues and rewarded the researcher

Feb 6, 2014 12:53 GMT  ·  By

Ibrahim Mosaad El-Sayed, a security researcher with Vulnerability Lab, has identified three critical vulnerabilities in the systems of German telecommunication company Deutsche Telekom. Fortunately, Deutsche Telekom has rushed to fix the issues.

The first security hole is an SQL Injection that impacted the company’s English Fitness Check website, which allows users to test their English skills.

The bug, which could have been exploited remotely and without any user interaction, affected the englishtest2004/test.asp file.

“After executing the query through the test.asp page, the query`s result can be seen from a `500 error` returned by the `test.asp` page,” the report from Vulnerability Lab reads.

“The connected vulnerable parameter in the `test.aspx` file is `mailbody` that is passed through the POST method request. The SQL injection bug is in the INSERT statement. Other paramaters like VORNAME, Email, PLZ, TELEFON can be accessed by usage of a malicious insert statement.”

Check out some screenshots and the POC for this SQL Injection vulnerability provided by Vulnerability Lab exclusively to Softpedia:

The second security hole, a remote code execution (RCE) vulnerability, plagued a couple of files (downloadImage.php and process.php) on the German language website telekom.de.

“The vulnerable parameter value is the `locCode`. Remote attackers can manipulate the POST method request with the ImgType values to inject/execute own php commands,” the researchers explained in their advisory.

If unfixed, this RCE vulnerability could have been exploited to inject unauthorized commands into the impacted server. No user interaction was required to exploit it.

Check out the POC and some screenshots for this RCE vulnerability:

The third and final flaw is an arbitrary file upload vulnerability. It affected a tool that allows users to build their online profiles (profilbildtool.telekom.de).

“The arbitrary file upload vulnerability is located in `/scripts/php/process.php` file. After executing the query through the process.php page, the query result can be seen from /scripts/php /downloadImage.php`. Remote attackers are able to manipulate the POST method request with of the process.php file to upload unauhorized own malicious files,” the advisory for this bug reads.

The vulnerability could have been exploited without user interaction to upload arbitrary files to a server and compromise the database management system, the website or the web server system.

Check out the POC and some screenshots for this arbitrary file upload vulnerability:

All of these vulnerabilities were reported to Deutsche Telekom on December 30, 2013. The telecoms company confirmed fixing the security holes on January 24, 2014. The Vulnerability Lab team has been rewarded with €3,000 ($4,000) for responsibly disclosing the issues.

Benjamin Kunz-Mejri, the founder and CEO of Vulnerability Lab, has told Softpedia that they have submitted an additional 7 security holes to the German telecoms company.

As far as the collaboration with Deutsche Telecom is concerned, Ibrahim has told us that the company has one of the best bug bounty programs he has ever seen.

“What makes them outstanding from other bug bounty programs is their communication with the researchers. They are fast in fixing the bugs and fast in paying the bounty which keeps us, hackers, always interested to find more and more,” the researcher said.

“Also whenever we need clarification about something we get the answer in max 24 to 48 hours. I think they know what they are doing. I just wish they can somehow expand the program to include other critical bugs like persistent input validation and file inclusion bugs,” he added.

“SQL and RCE are not always and only the critical bugs in a website to make damage. A system can be owned with some filter bypass and persistent cross site issue the same way like with a SQL injection or arbitrary file upload. As far as our lab core team’s successful participation in the program, we will continue the cooperative & coordinated disclosure with the German Telekom.”

Photo Gallery (12 Images)

SQL Injection vulnerability
SQL Injection vulnerabilitySQL Injection vulnerability
+9more