The Social Democratic Party of Germany (in short: SPD) is the oldest political parlemtary party in Germany. The website bayernspd.de represents one of 16 SPD - state associations in Germany and therefor acts as a contact point for all political “online” questions regarding the SPD in Bavaria.
In July, we’ve discoverd multiple, critical errror-based SQL-Injection vulnerabilities on the official website of the Bavarian SPD and disclosed all details confidentially to the webmaster on the 16.July. The answer didn’t take that long and a first partial update has been applied to the website already on the 18.July. But this update only removed the display of the error messages of the database when supplied with the wrong chars, so the vulnerabiltiies were still exploitable using a Blind-SQL-Injection technique, which we were able to prove with another payload. But anyways, in close collaboration with the webmaster these issues have also been fixed quickly. On the 20.July all disclosed vulnerabilities have been finally fixed.
All security issues (in general) on websites like this are particularly dangerous, because the general standards of security are often measured against government or political websites, because those are somehow representative for the political party or the whole country. Often also hackivists attack those sites to take political action, for example the FDP (another political party in Germany) was hacked some months before and the database was leaked.
We would like to thank the webmaster of bayernspd.de for the fast reaction and the very professional and friendly collaboration. A really impressive behaviour that should be taken as a shiny example for other webmasters.
The team of internetwache.org
Screenshots:
