Description

By directly calling an update-related CGI script with crafted input, and without requiring authentication, it is possible to execute arbitrary system commands on the host server. MoveableType (MT) exposes a CGI script, mt-upgrade.cgi (usually at /cgi/mt/mt-upgrade.cgi), that is used during installation and updating of the platform.The vulnerability arises due to the following properties:

  • This script may be invoked remotely without requiring authentication to any MT instance.
  • Through a crafted POST request, it is possible to invoke particular database migration functions (i.e functions that bring the existing database up-to-date with an updated codebase) by name and with particular parameters.
  • A particular migration function, core_drop_meta_for_table, allows a class parameter to be set which is used directly in a perl eval statement, allowing perl code injection.

Remediation

Upgrade to the latest version of Moveable Type or apply the patch listed in the web references section.

References

Movable Type 4.38 patch to fix a known upgrading security issue

Moveable Type 4.x Unauthenticated Remote Command Execution

Related Vulnerabilities

Internet Information Services Other Vulnerability (CVE-2002-0073)

OpenVPN AS Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2014-9104)

Werkzeug WSGI Out-of-bounds Write Vulnerability (CVE-2023-46136)

OpenSSL Improper Input Validation Vulnerability (CVE-2016-6302)

PleskWin Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-4878)

Severity

High

Classification

CVE-2013-0209 CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities