"Dream-weaving" CMS injecting high-risk vulnerabilities _dede

"Dream-weaving" CMS injecting high risk vulnerabilities Author: time: 2014-04-17 "Dream" CMS is a website built by Shanghai Zhuo Zhuo Network Technology Co., Ltd. Software, also known as "Dede Content management System", in the domestic application is more extensive. February 25, 2014, the software was disclosed there is a high-risk vulnerability, because the page parameters are not strictly filtered, there is a SQL injection vulnerability. The vulnerability-affected Dream CMS version includes v 5.7 SP1 and the following version. By February 28, attacks against the vulnerability had been publicly disseminated on the Internet using code and associated utility tools. The attacker can obtain the website database information directly by exploiting the loophole, then obtains the website backstage Management Authority, the follow-up may further penetrate obtains the website service control right.
According to the National Internet Emergency Center monitoring found that the attack in response to the vulnerability of the recent large-scale outbreak of the trend of Web site operation Security and user personal information security poses a more serious threat, is to increase vulnerability notification and disposal efforts.

Suggestions on the prevention and disposal of loopholes

At present, software manufacturers have issued a relevant patch for the vulnerability, advising users to timely upgrade to the manufacturer's official website to download patches, and to restrict the site admin access to the background IP address. has been invaded, it is recommended to thoroughly clean the Web server, clear suspicious files, accounts, backdoor procedures, etc., upgrade dedecms after the change Management background account and password.