CVE-2020-21127
📋 TL;DR
MetInfo 7.0.0 contains a SQL injection vulnerability in the admin logs deletion function that allows attackers to execute arbitrary SQL commands. This affects all installations of MetInfo 7.0.0 content management system. Attackers can potentially access, modify, or delete database content through this vulnerability.
💻 Affected Systems
- MetInfo CMS
📦 What is this software?
Metinfo by Metinfo
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.
Likely Case
Unauthorized database access allowing extraction of sensitive information like user credentials, configuration data, and content.
If Mitigated
Limited impact with proper input validation and database permissions restricting damage to non-critical data.
🎯 Exploit Status
Exploit requires access to admin interface, but SQL injection payloads are publicly available in GitHub issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.1 or later
Vendor Advisory: https://www.metinfo.cn/
Restart Required: No
Instructions:
1. Backup database and files. 2. Download latest MetInfo version from official site. 3. Replace affected files or perform full upgrade. 4. Verify fix by testing admin/?n=logs&c=index&a=dodel endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allAdd SQL injection filtering to the logs deletion function parameters
Modify admin/logs/index.php to sanitize input parameters before SQL execution
Access Restriction
allRestrict access to admin interface via firewall or authentication
iptables -A INPUT -p tcp --dport 80 -s !TRUSTED_IP -j DROP (Linux)
Add IP restrictions in .htaccess or web server config
🧯 If You Can't Patch
- Implement web application firewall (WAF) with SQL injection rules
- Disable or restrict the vulnerable admin/logs functionality
🔍 How to Verify
Check if Vulnerable:
Test admin/?n=logs&c=index&a=dodel endpoint with SQL injection payloads like ' OR '1'='1Check Version:
Check MetInfo version in admin panel or view /install/install.txt fileVerify Fix Applied:
Verify the same SQL injection payloads no longer execute and return proper error handling📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts to admin panel
- Suspicious POST requests to admin/?n=logs&c=index&a=dodel
Network Indicators:
- SQL injection patterns in HTTP requests
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri="*admin/?n=logs&c=index&a=dodel*" AND (request="*' OR*" OR request="*UNION*" OR request="*SELECT*" OR request="*INSERT*")