Dusseldorf airport closes security holes
According to an advisory in the Vulnerability Lab vulnerability database, Dusseldorf airport closed potentially critical security holes in several areas of its web site in December. A database extract available to The H's associates at heise Security says that the SQL injection holes potentially allowed unauthorised access to the entire database, which contains personal data and passwords of passengers and partners, as well as Airliner Lounge data that is normally only available to airline employees.
The extract also contains references to a "vip_personen" table that appears to be intended for storing celebrity passenger data. According to Vulnerability Lab, it was also possible to access credit card data, passenger lists and even the server's root password.
The holes were contained in the web application code of the site's photo gallery, store overview and press areas. Vulnerability Lab noted that it had informed the airport about the vulnerabilities in April 2011. "Unfortunately, we never received a reply. When doing a check, we found that the holes were only closed a few weeks ago", security expert Benjamin Kunz Mejri told heise Security. Dusseldorf airport has so far not responded to enquiries by phone or in writing.