SQL Injection On gruenberg.de - 2019-04-14
In the progress of gathering a list of all websites of towns and cities in Germany, I see a lot of old websites that contain more or less obvious vulnerabilities.
On 01.04.2019 I found a SQL injection vulnerability on the CMS login page of the gruenberg.de website and immediately forwarded this information to the CERT Hessen.
I tend to contact the corresponding CERT instead of the owner of the website, because it’s hard to deal with them in most cases. Sometimes they do not answer at all, sometimes they just ignore you and the issue, sometimes they do not accept emails from outside their domain (this happened multiple times already!) and most of the time they do not understand what you want from them.
Timeline
- 01.04.2019: Found issue and contacted CERT Hessen
- 02.04.2019: CERT Hessen acknowledged the issue
- 10.04.2019: CERT Hessen informed me about the issue beeing fixed
CERT Hessen rating
The CERT Hessen is easy to contact because everything you need you can find with a simple google search, they react fast and inform you as soon as the problem is fixed. That’s an awesome experience when dealing with this kind of situation where it is not clear what is going to happen.