MetInfo bug notes

unauthenticated file read

Short version: MetInfo 8.1 lets a guest upload an SVG through /app/system/entrance.php. The SVG parser follows an external DTD, which can use XXE to read a local file and send the contents back to a callback server.

The script spins up the callback listener, uploads a tiny proof SVG, waits for the DTD fetch and leak callback, then decodes the returned file bytes.