Portcullis Security Advisory Tim Brown tmb@portcullis-security.com - www.portcullis-security.com timb@nth-dimension.org.uk - www.nth-dimension.org.uk Vulnerable System: Movable Type Vulnerability Title: Username and password hash for administration interface stored in cookie. Vulnerability discovery and development: Tim Brown of Portcullis Computer Security Ltd discovered this vulnerability during an application assessment. Further research was then carried out post assessment and the vendor notified. The vendor subsequently verified the vulnerability. Portcullis Security Testing Services Affected systems: All known versions of Movable Type, vulnerability discovered for version 3.16. Details: Following successful login to the administration interface, the cookie mt_user is set. This cookie contains the string :::: and is accessible to any page requested from within the same directory as the mt.cgi CGI script. This string will expire at the end of the users session where the remember flag is set to 0 during the initial login, or in 10 years time where the remember flag is set to 1 during the inital login. Impact: Should an attacker succeed in grabbing this cookie (either via XSS as described above, interception during transmission or from the users browser), they will be able to successfully login, until such time as the password for this account is changed either by setting a similar cookie in their browser, or by modifying their requests through a man in the middle proxy. Exploit: Exploit code not required. Vulnerability Title: Blog directory path can be set to any arbitrary directory path during the creation of new blogs. Vulnerability discovery and development: Tim Brown of Portcullis Computer Security Ltd whilst performing an assessment of the Movable Type package. After further research the vendor was notified. The vendor subsequently verified the vulnerability. Affected systems: All known versions of Movable Type, vulnerability discovered for version 3.16. Details: Assuming the account a user is logged in as has sufficient permissions to create new blogs, then a blog can be created with any arbitrary directory path. Impact: An attacker could use this in combination with the upload mechanism issue below to upload SSH private keys into the web server system users home directory, overwrite existing CGI scripts, deface other web sites on the web server or carry out any other attack which requires the modification of files on the web server. This is especially dangerous if the web server system user has administrative permission which allow it to access any directory and write to any file. Exploit: Exploit code not required. Vulnerability Title: The create entry mechanism is vulnerable to JavaScript injection. Vulnerability discovery and development: Tim Brown of Portcullis Computer Security Ltd discovered this vulnerability during an application assessment. Further research was then carried out post assessment and the vendor notified. The vendor subsequently verified the vulnerability. Affected systems: All known versions of Movable Type, vulnerability discovered for version 3.16. Details: During the creation of new blog entries, it is possible for an attacker to inject JavaScript into the title, category, body, extended body and excerpt form elements which will then be executed when a user visits a number of sections of the administration interface including the list entries mechanism, the preview entry mechanism as well as the blog index and the published entry. Impact: An attacker could use this to execute malicious code on visitors computers. Exploit: Exploit code not required. Vulnerability Title: Potential phishing attack via the comments mechanism. Vulnerability discovery and development: Tim Brown of Portcullis Computer Security Ltd discovered this vulnerability during an application assessment. Further research was then carried out post assessment and the vendor notified. The vendor subsequently verified the vulnerability. Affected systems: All known versions of Movable Type, vulnerability discovered for version 3.16. Details: By posting a comment to an entry on a blog, it is possible to create URLs within the web server domain which actually forward any one who requests them to a URL on another web server by entering a URL with the comment. Comments that include a URL will be added to the blog entry with the URL encoded as http://webserver/path/to/mt-comments.cgi?__mode=red;id= which forwards any user who requests the URL using JavaScript to the URL referenced by the id. Impact: By forwarding this URL, which may be seen as trusted an attacker may be able to lure its recipients to a malicous site of their creation. Exploit: Exploit code not required. Vulnerability Title: Upload mechanism potentially allows upload of arbitrary code for execution as the web server user. Vulnerability discovery and development: Tim Brown of Portcullis Computer Security Ltd discovered this vulnerability during an application assessment. Further research was then carried out post assessment and the vendor notified. The vendor subsequently verified the vulnerability. Affected systems: All known versions of Movable Type, vulnerability discovered for version 3.16. Details: Since the Movable Type application stores all uploads to a blog within the blog directory path, it may be possible to execute arbitrary code by uploading it and requesting the resulting URL. Impact: An attacker could use this to upload scripts written in languages such as PHP which the web server may by default execute directly from any point within the web root, or in combination with the blog directory path issue above to overwrite existing CGI scripts such as those included within the Movable Type application. Exploit: Exploit code not required. Vulnerability Title: Username enumeration possible via the password reset mechanism. Vulnerability discovery and development: Tim Brown of Portcullis Computer Security Ltd discovered this vulnerability during an application assessment. Further research was then carried out post assessment and the vendor notified. The vendor subsequently verified the vulnerability. Affected systems: All known versions of Movable Type, vulnerability discovered for version 3.16. Details: Requesting the URL http://webserver/path/to/mt.cgi?__mode=recover&name= returns pages containing different error messages dependent on whether an account with that username exists in the authentication database. If an account with that username exists, the error message is "Birthplace '' does not match stored birthplace for this author", however if no account with that username exists, then the error message "No such author with name ''" is instead returned. Impact: An attacker could use this to enumerate which account usernames exist in the authentication database. Exploit: Exploit code not required. Copyright: Copyright © Portcullis Computer Security Limited 2005, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.