CHT Security Team Discovered a Vulnerability in Well-Known marketing system
【Summary】
The CHT Security Team discovered that a marketing system has a SQL Injection vulnerability, which affect some domestic enterprises, among others.
【Risk level】
High
【Known Affected Software】
N/A
【Description】
The AIM's specific function parameter does not perform special character filtering on parameter values. An attacker can exploit this vulnerability to perform arbitrary SQL queries without authentication.
CHT Security team recommends the following measures:
After receiving the information, the developer has already release relevant updates as soon as possible. If agencies or enterprises use this system, it is recommended to contact the manufacturer as soon as possible for updates.
1. Users: Contact the manufacturer to install the patch as soon as possible.
2. System developers: Input parameters should be checked during program development.
3. System developers: It is recommended to introduce SSDLC (Secure Software Development Life Cycle) conduct secure program development education and training, and regularly perform security tests such as source code review and penetration test to effectively ensure product and user security.