Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability Name: Metinfo CMS ini file modify vulnerability Product Homepage: https://www.metinfo.cn/ Software link: https://u.mituo.cn/api/metinfo/download/7.0.0beta Version: V7.0.0 beta
(This vulnerability only occur in Window OS)
In /language/admin/language_general.class.php doExportPack Method
In this method We can find editor and site parameter makes filename value and use it for
editor
site
filename
delfile method's argument
delfile
Let's take a look at app/system/include/function/file.func.php source code
When we check delfile method we use filename argument for file_exists function and if
file_exists
return value is true unlink filename argument file will be unlink
Before we analyze more about this point.
Let's take a look at about file_exists function's difference between in Linux and Windows
Linux
Windows
In Linux (first picture) if there is no real dirctory which name is asdf function do not return true
asdf
value unliness there is ../ value. But In Windows file_exists funciotn return true value if there is
../
fake directory which name is asdf (second picture).
Because of this point we can delete remote ini file in windows server
Attack scenario is below
'../../../---/{ini-filename}
POC :
/admin/?n=language&c=language_general&a=doExportPack&site=web&editor=/../../../../../../Users/test/Desktop/test&appno=123
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Vulnerability Name: Metinfo CMS ini file modify vulnerability
Product Homepage: https://www.metinfo.cn/
Software link: https://u.mituo.cn/api/metinfo/download/7.0.0beta
Version: V7.0.0 beta
(This vulnerability only occur in Window OS)
In /language/admin/language_general.class.php doExportPack Method
In this method We can find
editorandsiteparameter makesfilenamevalue and use it fordelfilemethod's argumentLet's take a look at app/system/include/function/file.func.php source code
When we check
delfilemethod we usefilenameargument forfile_existsfunction and ifreturn value is true unlink
filenameargument file will be unlinkBefore we analyze more about this point.
Let's take a look at about
file_existsfunction's difference between inLinuxandWindowsIn
Linux(first picture) if there is no real dirctory which name isasdffunction do not return truevalue unliness there is
../value. But In Windowsfile_existsfunciotn return true value if there isfake directory which name is
asdf(second picture).Because of this point we can delete remote ini file in windows server
Attack scenario is below
siteparameter value for 'admin' or 'web' and giveeditorparameter for'../../../---/{ini-filename}
POC :
/admin/?n=language&c=language_general&a=doExportPack&site=web&editor=/../../../../../../Users/test/Desktop/test&appno=123
The text was updated successfully, but these errors were encountered: