CHT Security Team Discovered a Vulnerability in Well-Known Management Information System

【Summary】

The CHT Security Team discovered that a Management Information System has Relative Path Traversal, Unrestricted Upload of File with Dangerous Type, Code Injection vulnerabilities, which affect some domestic enterprises, among others.

【Risk level】

High

【Known Affected Software】

N/A

【Description】 

The MIS's specific function parameter does not perform special character filtering on parameter values. An attacker can exploit this vulnerability to download any file from the target system or upload arbitrary files to the target system or execute arbitrary PHP code. 

CHT Security team recommends the following measures:

After receiving the information, the developer has already release relevant updates as soon as possible. If agencies or enterprises use this system, it is recommended to contact the manufacturer as soon as possible for updates.

1. Users: Contact the manufacturer to install the patch as soon as possible.

2. System developers: Input parameters should be checked during program development.

3. System developers: It is recommended to introduce SSDLC (Secure Software Development Life Cycle) conduct secure program development education and training, and regularly perform security tests such as source code review and penetration test to effectively ensure product and user security.