Just Another Hacker
Author's avatar

Cross site scripting in Movable Type

Movable Type is a professional publishing platform [ Taken from: http://www.movabletype.org ]

Vulnerability description

The ‘static’ parameter to the comment script is not sufficiently sanitised which allows an attacker to break out of the meta redirect url in the response, resulting in a cross site scripting attack.

  • Discovered by: Eldar “Wireghoul” Marcussen
  • Movable Type BugID: #105441
  • Vendor: Six Apart Ltd - http://www.sixapart.com
  • Affected versions:
    • Movable Type Open Source 4.x
    • Movable Type Open Source 5.x
    • Movable Type 4.x ( with Professional Pack, Community Pack )
    • Movable Type 5.x ( with Professional Pack, Community Pack )
    • Movable Type Enterprise 4.x

Proof of Concept

http://vuln.com/cgi-bin/mt-comment.cgi?__mode=handle_sign_in&static=">

&logout=1&entry_id=

Solution

Upgrade to the latest versions of Movable Type 4 or Movable Type 5. * Movable Type Open Source 4.36 * Movable Type Open Source 5.05 * Movable Type Open Source 5.1 * Movable Type 4.36( with Professional Pack, Community Pack) * Movable Type 5.05( with Professional Pack, Community Pack) * Movable Type 5.1( with Professional Pack, Community Pack) * Movable Type Enterprise 4.36 * Movable Type Advanced 5.1

Disclosure time line

  • 25-May-2011 - Advisory released
  • 24-May-2011 - New version released
  • 18-May-2011 - Patch produced
  • 11-Jan-2011 - Vendor acknowledge vulnerability
  • 08-Jan-2011 - Vendor notified through email

graudit

Static source code analysis tool for finding vulnerabilities in source code.

htshells

Self contained attacks against per directory configuration in web servers.

PHP omelette

Code obfuscation tool for bypassing web application firewalls.

More

All of the project information on one page!