Metinfo Audit Thinking _ code Audit

Metinfo This CMS is very interesting, I think we can play a lot of points, to share it to everyone to see
here the main analysis metinfo5.3, first decompression look at the file structure

First to comb the structure of this CMS, First, you open the index.php to see the structure of the portal file

<?php # metinfo Enterprise Content Management System # Copyright (C) metinfo Co.,ltd (http://www.metinfo.cn).
All rights reserved.
$url =$_server[' php_self '];
$turnurl =dirname (' http://'. $_server[' http_host '].$_server["Request_uri"]);
$resstr =strstr ($url, ' index.php/');
  if ($resstr) {$turnurl =str_replace (' index.php ', ' 404.html ', $turnurl);
Header ("Location:". $turnurl);} if (!file_exists ('./config/install.lock ')) {if (File_exists ('./install/index.php ')) {header ("location:./install/
    Index.php "); exit;
        } else{Header ("Content-type:text/html;charset=utf-8"); echo "Installation file does not exist, please upload the installation file." If you have already installed it, create a new Config/install.lock file.
        ";
    Die (); } if (File_exists ('./update ') &&!file_exists ('./update/install.lock ')) {header ("location:./update/
Index.php "); exit;
} $index = "index";
Require_once ' include/common.inc.php ';
Require_once ' include/head.php ';
$index =array ();
$index [index]= ' index ';
$index [content]= $met _index_content;
$index [lang]= $lang; $index [News_no]= $index _news_no;
$index [product_no]= $index _product_no;
$index [download_no]= $index _download_no;
$index [img_no]= $index _img_no;
$index [job_no]= $index _job_no;
$index [link_ok]= $index _LINK_OK;
$index [link_img]= $index _link_img;
$index [link_text]= $index _link_text;
$show [' description ']= $met _description;
$show [' keywords ']= $met _keywords;
Require_once ' public/php/methtml.inc.php '; if ($met _indexskin== "" or!file_exists ("templates/". $met _skin_user. " /". $met _indexskin.".
$dataoptimize _html))) $met _indexskin= ' index '; if ($map && $met _mobileok&&is_numeric ($uid)) {if ($wap _skin_user!= ' wap001 ' && $wap _skin_user!) = ' mobile_001 ' && $wap _skin_user!= ' mobile_002 ' && $wap _skin_user!= ' mobile_003 ' && $wap _skin_u Ser!= ' mobile_004 ' && $wap _skin_user!= ' mobile_005 ' && $wap _skin_user!= ' mobile_006 ') {$met _in
    Dexskin = ' map ';
} include template ($met _indexskin); Footer ();

1-20 line to determine whether the CMS is the installation state, followed by the initialization of each variable
Note that 25 lines of

Require_once ' include/common.inc.php ';

We open this file common.inc.php
Note 36 to 42 lines of this code

foreach (Array (' _cookie ', ' _post ', ' _get ') as $_request) {
    foreach ($$_request as $_key =>) {
		$_value}!) = ' _ ' && $$_key = daddslashes ($_value,0,0,1);
        $_m[' form '][$_key] = daddslashes ($_value,0,0,1);
    }

If you play a code audit more people should know there is a risk of arbitrary variable coverage, specific examples can refer to one of my vulnerability analysis: http://blog.csdn.net/niexinming/article/details/53153629
This code can be demonstrated by a simple little Li Zilai.

<?php
$a = "a";
$b;
Global $c;
$c = "555";
Require_once ' include/common.inc.php ';
Global $e;
$d;
Var_dump ($a);
echo "</br>";
Var_dump ($b);
echo "</br>";
Var_dump ($c);
echo "</br>";
Var_dump ($d);
echo "</br>";
Var_dump ($e);

Can be seen in the require_once ' include/common.inc.php '; the variables above are overwritten regardless of whether or not the parameters passed in are initialized, and the variables below this code are contaminated by the parameters passed in if they are not assigned. So this is a test of the code farmers for the structure of the control capacity, if a little careless will cause security problems
Give us an example of a problem that isn't safe.
You can see that there's a section of code in the index.php

$index = "index";
Require_once ' include/common.inc.php ';
Require_once ' include/head.php ';
$index =array ();

can give index.php pass index=2333, look at the effect

The code logic that can be seen is changed, causing the confusion of the page, and metinfo5.3 references to this code require_once ' include/common.inc.php ';

So you can play a lot of points, such as can find some arbitrary file deletion places, delete some key files to make some variables into uninitialized variables, thus controlling the entire code flow

Now that the latest version of Metifo is 6.0, they are aware of such problems, so many improvements have been made to the framework, gradually reducing the adoption of require_once ' include/common.inc.php '; Makes metifo6.0 's security stronger.