A vulnerability was found in Bild WebSite (affected version unknown). It has been declared as critical. This vulnerability affects an unknown functionality of the file DSL-Anbieter.asp. The manipulation of the argument ID with an unknown input leads to a sql injection vulnerability. The CWE definition for the vulnerability is CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was published 07/14/2011 as VL-ID 165 as not defined advisory (Website). The advisory is available at vulnerability-lab.com. The exploitation appears to be easy. The attack can be initiated remotely. Technical details and also a public exploit are known. This vulnerability is assigned to T1505 by the MITRE ATT&CK project.

After immediately, there has been an exploit disclosed. It is possible to download the exploit at vulnerability-lab.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 425 days. During that time the estimated underground price was around $0-$5k. By approaching the search of inurl:DSL-Anbieter.asp it is possible to find vulnerable targets with Google Hacking.

Applying a patch is able to eliminate this problem. A possible mitigation has been published before and not just after the disclosure of the vulnerability.

Productinfo

Vendor

• Bild

Name

• WebSite

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion