Ebrahim Hegazy, an Egyptian researcher, has found another vulnerability that affected the Web servers of Deutsche Telekom, Germany’s biggest telecommunications provider.
He discovered the bug on the telekom.de website, on one of the subdomains that displayed a generic landing page. The subdomain umfragen.telekom.de translates to suggestions.telekom.de, and seems to be an abandoned Web page left behind from previous site iterations.
According to the researcher, attackers could have gained full control of the Deutsche Telekom server.
The researcher said that the vulnerability was the most basic example of Remote Code Execution (RCE) vulnerability that allows attackers to gain full control of a Web server just by pinging its ports and open connections with malicious requests.
Having brute-forced the URL, Hegazy came across an upload.php file. The researcher built a tool called Pemburu for pen testing.
He managed to find the URL, which the upload.php file sent user-submitted data. His tool went through a large set of URL variations and eventually discovered that the file sent data to umfragen2.telekom.de/upload.php. This allowed Hegazy to take a closer look at the code.
He came across a mechanism that acquired user input from the HTTP POST request without sanitizing it in any way and then attached the data as parameters to the PHP system function.
This particular function is modeled after the system function in C and allows PHP developers to execute shell commands from inside their PHP app and retrieve the results. Generally, it’s considered a good practice not to use this function on any front-facing Web server.
He reported about the flaw to the telco’s security team. The flaw has been patched.
As per a report published in Softpedia said that his research was carried out as part of the company’s bug bounty program and received a €2,000 / $2,150 reward.