Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to repair the SQL injection loophole in the pan-micro e-cology OA system". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to repair the SQL injection loophole in the pan-micro e-cology OA system".

Overview of vulnerabilities

On October 10, 2019, the National Information Security vulnerability sharing platform (CNVD) announced that there is a SQL injection vulnerability in the pan-micro e-cology OA system (CNVD-2019-34241). When the WorkflowCenterTreeData interface of pan-micro e-cologyOA system uses Oracle database, due to the lax splicing of built-in SQL statements, there is a SQL injection vulnerability in pan-micro e-cologyOA system.

This vulnerability can be exploited by an attacker to remotely send specially crafted SQL statements to obtain database sensitive information without authorization. At present, the vulnerability PoC has been made public, and the official fix has not yet been released.

Vulnerability risk

High risk

Affect the version

Pan-micro e-cology OA system, using the JSP version of the oracle database

Repair suggestion

Temporary mitigation measures

Use parameter checking to intercept parameters with SQL syntax from passing into the application

Use precompiled processing to process SQL statements with concatenated user parameters

Before the parameters enter the database for execution, check the semantic integrity of the SQL statement to make sure that the semantics have not changed.

When a SQL injection vulnerability occurs, filter or verify the faulty parameters before they are concatenated into the SQL statement. Do not rely on the protection code at the beginning of the program.

Audit the database execution log periodically to see if there is SQL statement execution outside the normal logic of the application.

It is forbidden to open the affected system on the public network.

Thank you for reading, the above is the content of "how to repair the SQL injection loophole in the pan-micro e-cology OA system". After the study of this article, I believe you have a deeper understanding of how to repair the SQL injection loophole in the pan-micro e-cology OA system, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.