Document Title: =============== DB S Bahn Muenchen - SQL Injection Vulnerability Release Date: ============= 2011-08-14 Vulnerability Laboratory ID (VL-ID): ==================================== 167 Product & Service Introduction: =============================== Official Website of Deutsche Bahn (S-Bahn Muenchen) (Copy of the Vendor Homepage: http://www.s-bahn-muenchen.de) Abstract Advisory Information: ============================== An anonymous laboratory researcher discovered a blind SQL Injection vulnerability on the official S-Bahn Muenchen vendor website (DB). Vulnerability Disclosure Timeline: ================================== 2011-08-15: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ A SQL Injection Vulnerability is detected on S-Bahn Muenchen website. The vulnerability allows an remote attacker to inject/execute own sql statements on the affected application(dbms). Vulnerable Module(s): [+] Public Main Module - (document_id) --- Exception Logs --- Error References: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/virtual/site18/fst/var/www/html/cyras/functions/sql_access.php on line 572 Datenbankfehler: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near at line 1 Anweisung: SELECT page_id FROM sb4_public_documents WHERE id=-1 Datenbankfehler: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near AND active = 1 at line 1 Anweisung: SELECT id FROM sb4_public_documents WHERE id = -1 AND active = 1 Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers. For demonstration ... Server: http://www.xxx.de/public_main_modul.php?document_id= File: public_main_modul.php Para: ?document_id= DB MUENCHEN - Remote SQL Injection PoC

Version