Document Title: =============== Rheinmetall AG - Multiple SQL Injection Vulnerabilities References (Source): ==================== Release Date: ============= 2010-12-16 Vulnerability Laboratory ID (VL-ID): ==================================== 17 Common Vulnerability Scoring System: ==================================== 8.8 Product & Service Introduction: =============================== Headquartered in Düsseldorf, Rheinmetall AG is an automotive parts supplier and military technology group. In fiscal 2012 (2011), the company's 21,766 (21,516) employees generated sales of €4.7 billion (€4.4 billion). Rheinmetall was the tenth-largest European defence contractor in 2011. The Group's Automotive unit had sales in fiscal 2012 of €2.369 billion, while sales of its Defence arm for the same period came to €2.335 billion. Rheinmetall AG is listed on the German MDAX; its shares are traded on all German stock exchanges. (Copy of the Vendor Homepage: ) Abstract Advisory Information: ============================== A government laboratory core team researcher discovered multiple sql-injection vulnerabilities in the official Rheinmetall AG online service web-applications. Vulnerability Disclosure Timeline: ================================== 2010-03-04: Researcher Notification & Coordination (Government Laboratory - Core Research Team) 2010-03-04: Vendor Notification (Rheinmetall Defense Department) 2010-03-09: Vendor Response/Feedback (Rheinmetall Defense Department) 2010-12-13: Vendor Fix/Patch (Rheinmtall - Service Developer Team) 2010-12-16: Public Disclosure (Government Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Rheinmetall AG Product: Online Service - Core (Web-Application) 2010 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ Multiple SQL-Injection vulnerabilities has been discovered in the offical Rheinmetall AG online service web-application. The vulnerability allows remote attackers to execute own sql command to compromise the web-application or connected dbms. The vulnerabilities are located in the `lang`,`id`,`gid`,`jid` and `fid` values of the vulnerable `contact.php`, `index.php`, `jobinfo.php` and `print.php` files. Remote attackers are easily able to inject via GET method request own sql commands to compromise the full digital infrastructure of the rheinmetall ag. The vulnerabilities are a major risk to the company in the defense and military sector. The security risk of the sql-injection vulnerabilities are estimated as high with a cvss (common vulnerability scoring system) count of 8.8. Exploitation of the remote sql injection web vulnerabilities requires no user interaction or privileged web-application user accounts. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. Vulnerable File(s): [+] contact.php [+] index.php [+] jobinfo.php [+] index.php [+] print.php Vulnerable Parameter(s): [+] ?lang= [+] ?id= [+] ?gid= [+] ?jid= [+] ?fid= Affected Domain(s): [+] [+] [+] [+] KSPG AG & all Offices Websites Proof of Concept (PoC): ======================= The sql injection web vulnerabilities can be exploited by remote attackers without user interaction or privileged user accounts. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Rheinmtal - Remote SQL Injection Exploits remote sql-injection test requester