Researchers have discovered several SQL injection vulnerabilities in the websites of the European Parliament and the European Commission — both hosted on the official domain of the European Union (europa.eu).
The flaws were identified by experts from Government Laboratory, a project of Germany-based security firm Vulnerability Lab that focuses on finding zero-day vulnerabilities in government web applications and network services.
The security holes, discovered by Vulnerability Lab CEO Benjamin Kunz Mejri and researcher Marco Onorati, were reported to CERT-EU in May and they were plugged within 1-2 weeks.
“We reported the bugs by the responsible disclosure program and got acknowledged for the critical vulnerabilities in a fair way by the CERT-EU team,” Kunz Mejri, who was listed in CERT-EU’s Hall of Fame, told SecurityWeek.
The SQL injection flaws were found in various sections of the European Commission’s website, including the ones dedicated to the INSPIRE directive (inspire.ec.europa.eu), growth (ec.europa.eu/growth), and employment, social affairs and inclusion (ec.europa.eu/social). In the case of the European Parliament, a vulnerability existed on the europarl.europa.eu/sides/ webpage.
According to the researchers, the flaws could have been exploited by remote, unauthenticated attackers to gain access to European Commission and European Parliament databases containing potentially sensitive user data.
However, Kunz Mejri believes it would not have been easy for an attacker to exploit the security holes, especially without being detected by cybersecurity systems. CERT-EU has not responded to SecurityWeek’s request for comment.
The Government Laboratory research team says it has found vulnerabilities in the websites of several government organizations, including the U.S. Department of Defense and various European agencies. The details will be disclosed after the flaws are patched.