CVE-2020-21126
📋 TL;DR
This CSRF vulnerability in MetInfo 7.0.0 allows attackers to trick authenticated administrators into performing unauthorized actions by visiting a malicious webpage. Attackers could modify system settings, create admin accounts, or alter content without the admin's knowledge. Only administrators with access to the vulnerable admin panel are affected.
💻 Affected Systems
- MetInfo CMS
📦 What is this software?
Metinfo by Metinfo
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers create new admin accounts, modify all system settings, deface websites, or install backdoors through the admin interface.
Likely Case
Unauthorized system configuration changes, creation of new admin accounts, or content modification leading to data integrity issues and potential privilege escalation.
If Mitigated
Limited impact with proper CSRF protections, though some risk remains if administrators are tricked into performing actions while authenticated.
🎯 Exploit Status
Exploitation requires the victim admin to be logged into MetInfo and visit a malicious webpage. The GitHub repository shows proof-of-concept exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.1 or later
Vendor Advisory: https://www.metinfo.cn/download/
Restart Required: No
Instructions:
1. Download latest MetInfo version from official site. 2. Backup current installation. 3. Replace vulnerable files with patched version. 4. Verify admin functionality works correctly.
🔧 Temporary Workarounds
CSRF Token Implementation
allAdd CSRF tokens to admin forms to validate legitimate requests
Implement anti-CSRF tokens in admin form submissions
Referer Header Validation
allValidate HTTP Referer headers to ensure requests originate from same domain
Configure web server to validate Referer headers for admin endpoints
🧯 If You Can't Patch
- Implement strict SameSite cookie policies and require re-authentication for sensitive actions
- Use browser extensions that block CSRF attacks and educate administrators about phishing risks
🔍 How to Verify
Check if Vulnerable:
Check if admin/?n=admin&c=index&a=doSaveInfo endpoint lacks CSRF protection by inspecting form submissionsCheck Version:
Check MetInfo version in admin panel or via /admin/?n=admin&c=index&a=doUpdateVerify Fix Applied:
Verify that admin forms now include CSRF tokens and validate them on submission📡 Detection & Monitoring
Log Indicators:
- Multiple admin actions from same session with different referers
- Admin configuration changes without corresponding admin login events
Network Indicators:
- HTTP POST requests to admin endpoints with external referers
- Admin actions without proper CSRF tokens
SIEM Query:
source="web_logs" AND uri="/admin/?n=admin&c=index&a=doSaveInfo" AND referer NOT CONTAINS "yourdomain.com"