MetInfo Local File Inclusion Scanner

Detects 'Local File Inclusion (LFI)' vulnerability in MetInfo affects v. 6.0.0 through 6.1.0.

Short Info


Level

High

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

19 days 1 hour

Scan only one

URL

Toolbox

-

MetInfo is a comprehensive content management system used by businesses for setting up and managing online websites. It provides tools for creating dynamic web content, managing multimedia, and displaying information to users effectively. Organizations and developers use MetInfo to facilitate various functions like e-commerce, blogging, and corporate website management. MetInfo is designed for both English speaking and Chinese speaking markets, making it versatile for international use. The software is frequently chosen for its easy-to-use interface and robust features, allowing seamless integration and deployment. MetInfo’s extensive community support and plug-in systems make it a go-to option for developers seeking to extend its capabilities.

Local File Inclusion (LFI) is a critical security vulnerability that allows an attacker to include files on a server through the web browser. This vulnerability occurs due to the improper validation of page or file inclusion requests. Attackers can exploit LFI to access sensitive files, execute arbitrary code, or conduct more severe system attacks such as Remote Code Execution (RCE). Detection of such vulnerabilities is vital to protect sensitive data stored within the server file structures. In many cases, LFI can be utilized as an entry point for further attacks once the internal server file paths are disclosed. The potential impact on confidentiality is significant, demanding proactive detection and mitigation measures.

The vulnerability in MetInfo versions 6.0.0 through 6.1.0 lies specifically in the 'thumb.php' endpoint where file path parameters are not properly sanitized. When a user inputs a path structure, the system allows manipulation, leading to sensitive file disclosures. Files such as 'config/config_db.php' can be revealed, which may contain critical database credentials. The parameters 'dir' were observed to be manipulated with patterns like includes of several dots or slashes that traverse directories. Successful exploitation results in access to critical system configurations which can be further leveraged by attackers. It is crucial for users to restrict directory access and ensure input validations to mitigate such vulnerabilities.

Exploiting the Local File Inclusion vulnerability may result in significant security breaches within a system. Malicious individuals could gain unauthorized access to sensitive files like configuration files, which can lead to the exposure of confidential information. The presence of such vulnerabilities can serve as an entry point for further compromised actions such as database manipulation or execution of unauthorized operations. Attackers could potentially elevate privileges or deploy malicious software if they can successfully execute codes from disclosed locations. These scenarios pose a threat not only to data confidentiality but also to system integrity and availability.

REFERENCES

Get started to protecting your Free Full Security Scan