After a short analysis we found a critical SQL injection on the website of the federal court of justice.
This SQL injection was located in a python-script under the subdomain “juris”. The script’s function is to manage documents of the court and make them available to the public.
In our analysis we noticed, that it was possible to run a SQL injection attack - but we never dig “deeper” because of possible legal consequences. That is the reason, why we are not able to say which data was exactly stored and may have been accessible by a potential hacker. However we knew that the issue was very critical, because of the chance that there could be secret files on the server we contacted the webmaster confidentially as soon as possible. With a manipulated siterequest an attacker could have retrieved data from the database or manipulate it for his advantage.
We contacted the court of justice Germany with a contactform on the 1th of June 2012. We asked for a status update on the issue a week later and it turned out that the IT department was working to capacity at the moment, but the report has been forwarded to the developers and they will work on a fix as soon as possible. After another week the problem was solved and we received a nice thank-you letter.
The team of internetwache.org
No screenshots this time :/