Moveable Type 4.x unauthenticated remote command execution

Description
  • By directly calling an update-related CGI script with crafted input, and without requiring authentication, it is possible to execute arbitrary system commands on the host server. MoveableType (MT) exposes a CGI script, mt-upgrade.cgi (usually at /cgi/mt/mt-upgrade.cgi), that is used during installation and updating of the platform.The vulnerability arises due to the following properties: <br/> <ul> <li>This script may be invoked remotely without requiring authentication to any MT instance.</li> <li>Through a crafted POST request, it is possible to invoke particular database migration functions (i.e functions that bring the existing database up-to-date with an updated codebase) by name and with particular parameters.</li> <li>A particular migration function, core_drop_meta_for_table, allows a class parameter to be set which is used directly in a perl eval statement, allowing perl code injection.</li> </ul>
Remediation
  • Upgrade to the latest version of Moveable Type or apply the patch listed in the web references section.
References