MetInfo Local File Inclusion Scanner
Detects 'Local File Inclusion (LFI)' vulnerability in MetInfo affects v. 6.0.0 through 6.1.0.
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
19 days 1 hour
Scan only one
URL
Toolbox
-
MetInfo is a comprehensive content management system used by businesses for setting up and managing online websites. It provides tools for creating dynamic web content, managing multimedia, and displaying information to users effectively. Organizations and developers use MetInfo to facilitate various functions like e-commerce, blogging, and corporate website management. MetInfo is designed for both English speaking and Chinese speaking markets, making it versatile for international use. The software is frequently chosen for its easy-to-use interface and robust features, allowing seamless integration and deployment. MetInfo’s extensive community support and plug-in systems make it a go-to option for developers seeking to extend its capabilities.
Local File Inclusion (LFI) is a critical security vulnerability that allows an attacker to include files on a server through the web browser. This vulnerability occurs due to the improper validation of page or file inclusion requests. Attackers can exploit LFI to access sensitive files, execute arbitrary code, or conduct more severe system attacks such as Remote Code Execution (RCE). Detection of such vulnerabilities is vital to protect sensitive data stored within the server file structures. In many cases, LFI can be utilized as an entry point for further attacks once the internal server file paths are disclosed. The potential impact on confidentiality is significant, demanding proactive detection and mitigation measures.
The vulnerability in MetInfo versions 6.0.0 through 6.1.0 lies specifically in the 'thumb.php' endpoint where file path parameters are not properly sanitized. When a user inputs a path structure, the system allows manipulation, leading to sensitive file disclosures. Files such as 'config/config_db.php' can be revealed, which may contain critical database credentials. The parameters 'dir' were observed to be manipulated with patterns like includes of several dots or slashes that traverse directories. Successful exploitation results in access to critical system configurations which can be further leveraged by attackers. It is crucial for users to restrict directory access and ensure input validations to mitigate such vulnerabilities.
Exploiting the Local File Inclusion vulnerability may result in significant security breaches within a system. Malicious individuals could gain unauthorized access to sensitive files like configuration files, which can lead to the exposure of confidential information. The presence of such vulnerabilities can serve as an entry point for further compromised actions such as database manipulation or execution of unauthorized operations. Attackers could potentially elevate privileges or deploy malicious software if they can successfully execute codes from disclosed locations. These scenarios pose a threat not only to data confidentiality but also to system integrity and availability.
REFERENCES