| VID |
21740 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
A version of Movable Type which is older than version 3.2 is detected as installed on the host. Movable Type is a weblog publishing software written in Perl. Movable Type versions prior to 3.16 are vulnerable to multiple vulnerabilities, which can be exploited by a remote attacker to conduct phishing and script insertion attacks, and potentially compromise a vulnerable system, and by the attacker to disclose certain information:
1) The problem is that different error messages are returned depending on whether or not a supplied username exists when using the password reset functionality. This can be exploited to enumerate valid usernames.
2) The problem is that files with arbitrary file extensions can be uploaded to a directory inside the web root. This can e.g. be exploited to upload and execute a malicious PHP script.
3) Input passed to certain fields when creating new blog entries isn't properly sanitized before being used. This can be exploited to inject arbitrary script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed.
4) The problem is that the "mt-comments.cgi" script redirects external URLs in comments. This can be exploited to trick users into visiting a malicious web site.
* Note: This check solely relied on the version number of Movable Type on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://secunia.com/advisories/16899/
* Platforms Affected:
Movable Type versions prior to 3.16
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Movable Type (3.2 or later), available from the Movable Type Web site at http://www.sixapart.com/movabletype/
-- AND --
Grant only trusted users the ability to upload files via the administrative interface. |
| Related URL |
CVE-2005-3101,CVE-2005-3102,CVE-2005-3103,CVE-2005-3104 (CVE) |
| Related URL |
14910,14911,14912 (SecurityFocus) |
| Related URL |
22368,22369,22370,22372 (ISS) |
|
