SB2018022117 - Multiple vulnerabilities in Metinfo
Published: February 21, 2018 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2018-14419)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks via a modified name of the navigation bar on the home page.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Cross-site request forgery (CVE-ID: CVE-2018-14420)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
3) Arbitrary file upload (CVE-ID: CVE-2018-13024)
The vulnerability allows a remote privileged user to execute arbitrary code.
Metinfo v6.0.0 allows remote attackers to write code into a .php file, and execute that code, via the module parameter to admin/column/save.php in an editor upload action.
4) Cross-site request forgery (CVE-ID: CVE-2018-12530)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as be exploited via CSRF.
5) Code Injection (CVE-ID: CVE-2018-12531)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An issue was discovered in MetInfo 6.0.0. installindex.php allows remote attackers to write arbitrary PHP code into config_db.php, a different vulnerability than CVE-2018-7271.
6) Cross-site scripting (CVE-ID: CVE-2018-9985)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) Input validation error (CVE-ID: CVE-2018-9934)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The reset-password feature in MetInfo 6.0 allows remote attackers to change arbitrary passwords via vectors involving a Host HTTP header that is modified to specify a web server under the attacker's control.
8) Cross-site scripting (CVE-ID: CVE-2018-7721)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via /feedback/index.php because app/system/feedback/web/feedback.class.php mishandles input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
9) Code Injection (CVE-ID: CVE-2018-7271)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An issue was discovered in MetInfo 6.0.0. In install/install.php in the installation process, the config/config_db.php configuration file filtering is not rigorous: one can insert malicious code in the installation process to execute arbitrary commands or obtain a web shell.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://github.com/AvaterXXX/Metinfo---XSS/blob/master/test
- https://github.com/AvaterXXX/Metinfo---XSS/blob/master/CSRF
- http://www.kingkk.com/2018/06/Metinfo-v6-0-0-getshell-in-background/
- https://github.com/summ3rf/Vulner/blob/master/Metinfo.md
- https://github.com/learnsec6/test/issues/1
- http://www.cnblogs.com/babers/p/8503116.html
- http://www.cnblogs.com/babers/p/8745739.html
- https://github.com/Gitaddy/vluns/blob/master/Metinfo.md
- https://github.com/SQYY/CVE/blob/master/MetInfo_G.txt