The “Handelsblatt” is one of the biggest daily newspaper in germany. With over 20,000 prints every day it enjoys a broad popularity offline as well as online, whereat the internet is getting more important. That’s why we took a closer look at the website.
It seemed like the website is secure, because is uses a relative stable CMS and sanitizes all user data. However there were some minor mistakes which lead to a XSS issue under the subdomain “abo”. A GET-Request wasn’t sanitized ordenary. We discovered another XSS issue in the most common place - the search box. Last but not least there was a SQL Injection issue under the subdomain “abo”. These two kinds of security issues are the most common vulnerabilites regarding to OWASP Top 10 2013.
On the 23th of july 2012 we’ve sent a detailed email to directly the webmaster, because we could get the necessary information from the imprint page. In less than 24 hours he replied telling us that he’s going to fix the reported security vulnerabilites. The xss problems were fixed 4 days later and they asked us for some more information on the sql injection vulnerability. After we’ve provided the necessary details they’ve fixed this problem, too.
We had an overall good communication process with the webmaster/developers of the “Handelsblatt”-website. We would like to thank them for always being friendly and competent and that they’ve fixed the security issues.
The team of internetwache.org
Screenshots:
