Critical bugs disclosed in Duesseldorf Airport web infrastructure

Vulnerability Lab's picture

An anonymous Vulnerability Laboratory Researcher issued a security advisory this week stating that multiple critical SQL injection vulnerabilities on the web infrastructure of the famous German Duesseldorf Internalional Airport has been found. The security issues have been submitted multiple times to the DUS-INT Airport Web Team and after no response regarding the security issues, the bug has been disclosed.

The vulnerabilities are located on multiple web service modules of the airport application. Some vulnerable example modules were located on the Shoplist, Media Info & Photoarchive. The remote vulnerability allows an attacker to execute SQL commands on the vulnerable modules. Successful exploitation can result in access to all database tables, and retrieval of sensitive information like customer  passwords, usernames, IDs, addresses etc.

Vulnerability Lab noted that it had informed the airport about the vulnerabilities in April 2011. "Unfortunately, we never received a reply. When doing a check, we found that the holes were only closed a few weeks ago", security expert Benjamin Kunz Mejri told heise Security Security. After the report was made public, the DUS-INT Airport Team responded to Vulnerability-Labs.