MetInfo Local File Inclusion (LFI) Scanner

MetInfo is widely utilized by enterprises seeking to establish a robust online presence. The platform offers an array of functionalities tailored to enhance the digital experience of companies across various industries. It is renowned for its adaptability and comprehensive content management capabilities, making it an ideal choice for building corporate websites. Its PHP and MySQL foundation allows for seamless integration with existing systems. Through continuous updates, MetInfo ensures that its users receive the latest features, maintaining an edge in the competitive digital landscape. The version checked is commonly used due to its efficiency and reliable performance.

The local file inclusion vulnerability can inadvertently expose sensitive data residing on the server. Attackers may exploit this flaw by tricking the server into including unauthorized files in its process. This can lead to severe information disclosure and escalate into more significant security breaches if further exploited. Users of the affected version could face potential risks if the vulnerability is not patched promptly. The ability to include arbitrary files poses a threat not just to data integrity but also to overall system security. This vulnerability signifies a critical oversight in managing file paths within the affected MetInfo version.

The vulnerable endpoint lies within the 'index.php' file, specifically targeting the 'dataoptimize_html' parameter. Without proper checks, this parameter allows traversal to unintended directories through manipulation, potentially exposing sensitive files. The inclusion of '../' sequences in HTTP requests is a key signifier of such exploitation attempts. The lack of validation or filtering of this input parameter contributes to the LFI vulnerability. Attackers can inject paths to unwanted directories and gain access to restricted server resources. Ensuring that all input is sanitized could prevent unauthorized access to server data.

Should such a vulnerability be exploited, it might result in unauthorized access to confidential information stored within the server. Malicious entities might gain insight into server structure, leading to targeted attacks that could disrupt services. There is also the potential for further compromise through the execution of unauthorized scripts. The exploitation could serve as a stepping stone for attackers to gain deeper, unauthorized access to server resources. Harm to the company's reputation and potential legal concerns may arise if customer data gets exposed. Mitigating the vulnerability promptly is essential in preserving system integrity.

REFERENCES

• http://www.wooyun.org/bugs/wooyun-2015-0159386