Description

By directly calling an update-related CGI script with crafted input, and without requiring authentication, it is possible to execute arbitrary system commands on the host server. MoveableType (MT) exposes a CGI script, mt-upgrade.cgi (usually at /cgi/mt/mt-upgrade.cgi), that is used during installation and updating of the platform.The vulnerability arises due to the following properties:

  • This script may be invoked remotely without requiring authentication to any MT instance.
  • Through a crafted POST request, it is possible to invoke particular database migration functions (i.e functions that bring the existing database up-to-date with an updated codebase) by name and with particular parameters.
  • A particular migration function, core_drop_meta_for_table, allows a class parameter to be set which is used directly in a perl eval statement, allowing perl code injection.

Remediation

Upgrade to the latest version of Moveable Type or apply the patch listed in the web references section.

References

Movable Type 4.38 patch to fix a known upgrading security issue

Moveable Type 4.x Unauthenticated Remote Command Execution

Related Vulnerabilities

Magento XML Injection (aka Blind XPath Injection) Vulnerability (CVE-2019-8158)

WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2021-29450)

PostgreSQL Other Vulnerability (CVE-2002-1400)

PHP Use After Free Vulnerability (CVE-2016-9137)

Drupal Inclusion of Functionality from Untrusted Control Sphere Vulnerability (CVE-2017-6381)

Severity

High

Classification

CVE-2013-0209 CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities