The German Company Telekom AG is the biggest communication company in Europe. Especially the high standards and the diverse services Telekom offers are normally a good sign for a secure website. Our research has shown something else.
We found the first vulnerabilities under the sub-domain “fcbayern” of the main domain “telekom.de”. It seems like the main site of the famous German football club FCBayern is hosted there.
As we were testing for XSS / SQLi vulnerabilities we tainted some parameters with some common test strings and in some cases that causes a malfunction of the PHP scripts. If “display_errors” is set to “1” in the php.ini, the php interpreter will display detailed information about the occurred error. Often this will include the disclosure of the full path to the executed file.
In combination with other vulnerabilities like local file inclusion or sql injection, additional information like the path to the document root may enable the attacker to gain further access to the server. It’s really easy to avoid such an information leakage issue simply by redirecting the error messages into an error log file and setting the “display_error” directive to “0”.
Some other parts of the mentioned website contained php code, which haven’t been interpreted by the interpreter. We considered this kind of vulnerability high risk. So this area of the site was examined and we could go on. We have found the sub-domain “evergabe” and the system is used to create pdf files ,which had a major SQL Injection vulnerability. The data of this system was in danger, because the vulnerable part of the site was connected to the portals database.
After having discovered two major security issues, we were trying to contact the right person. As usually we sent an email to Telekoms support team and hoped that someone would respond and/or forward the email to the security department. After the summer holidays we made another attempt to contact Telekom using Twitter as the communication channel. First we contacted the “normal” @Telekom twitter handle (02.08.2012) and after further six days of no response we contacted the twitter account @Telekom_hilft. Now things went down really fast, we got an answer with regards. Telekom did not notify us about the fix and our investigation on the 14th of august 2012 revealed that the problems have been fixed.
Now we say thank you to the Telekom company for their friendly behaviour, and are closing the thread.
The team of internetwache.org