Description

By directly calling an update-related CGI script with crafted input, and without requiring authentication, it is possible to execute arbitrary system commands on the host server. MoveableType (MT) exposes a CGI script, mt-upgrade.cgi (usually at /cgi/mt/mt-upgrade.cgi), that is used during installation and updating of the platform.The vulnerability arises due to the following properties:

  • This script may be invoked remotely without requiring authentication to any MT instance.
  • Through a crafted POST request, it is possible to invoke particular database migration functions (i.e functions that bring the existing database up-to-date with an updated codebase) by name and with particular parameters.
  • A particular migration function, core_drop_meta_for_table, allows a class parameter to be set which is used directly in a perl eval statement, allowing perl code injection.

Remediation

Upgrade to the latest version of Moveable Type or apply the patch listed in the web references section.

References

Movable Type 4.38 patch to fix a known upgrading security issue

Moveable Type 4.x Unauthenticated Remote Command Execution

Related Vulnerabilities

Oracle Database Server CVE-2013-5853 Vulnerability (CVE-2013-5853)

EspoCRM Cleartext Transmission of Sensitive Information Vulnerability (CVE-2022-38846)

MySQL CVE-2014-6505 Vulnerability (CVE-2014-6505)

Dolibarr Weak Password Recovery Mechanism for Forgotten Password Vulnerability (CVE-2021-25957)

YetiForce CRM Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2021-4092)

Severity

High

Classification

CVE-2013-0209 CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities