MetInfo m topology enterprise website management system 5. 0. 2 code auditing exploit and repair summary-vulnerability warning-the black bar safety net

2012-09-30T00:00:00
ID MYHACK58:62201235072
Type myhack58
Reporter 佚名
Modified 2012-09-30T00:00:00

Description

MetInfo enterprise website management system using PHP+Mysql schema, full Station built-in SEO search engine optimization mechanism, support user since defined interface language(global various language), has enterprise website common of module features corporate profile module, news module, product modules, download module, image module, recruitment module, online messages, feedback systems, online exchanges, links, Site Map, membership and permissions management. Powerful and flexible back office management capabilities, static page generation capabilities, personalized modules to add functionality, various sections of custom FLASH style functions for enterprise to create a the atmosphere nice and having the marketing power of the boutique site.

First look at the structure of the program

!

After installation if you did not delete the install, 下面有一个phpinfo.php (install/phpinfo.php), you can see under server information.

A, unauthorized modification of any user password vulnerabilities pass to kill 2. 0 to latest 5. 0. 2 Version

Looked under members and administrators are in a met_admin_table table, we see membersave. php file

<? php

require_once ’../include/common.inc.php’;

if($action==”add”){

if($met_memberlogin_code==1){

require_once ’captcha.class.php’;

$Captcha= new Captcha();

if(!$ Captcha->CheckCode($code)){

echo(“<script type=’text/javascript’> alert(‘$lang_membercode’); window. history. back();</script>”);

exit;

}

}

$admin_if=$db->get_one(“SELECT * FROM $met_admin_table WHERE admin_id=’$yhid’”);

[1] [2] [3] [4] [5] [6] [7] [8] [9] [1 0] next