One late night we decided to take a look at the website of the big german broadcaster “RTL”. There have been some reports about vulnerabilites on rtl.de, but often you just have to take another look and you will find another vulnerability.
After some basic tests we discovered five parameters distributed over two pages, which allowed us to inject abitary sql commands. These two pages were located at the subdomain “cocomore”.
The german law prohibits the unauthorized retrival of information beloging to other persons. That’s why we cannot say what kind of data was stored in the database behind the web application.
However, we consider sql injection as very critical, so we contacted RTL using their online formular on the 10th of june 2012. RTL responded after one day and said that they forwarded the email to the technical department. We did not have to wait long for the next email in which the technical department said, that they forwared the message to the external service provider.
Our review on the 17th of june 2012 revealed that the vulnerabilities have been fixed. Unfortunaly they forgot to drop us a line about the fact, that they fixed the issues.
Nevertheless we want to thank RTL for the fix and we would like to see a final notification about the fix in the future.
The team of internetwache.org