cbcvebase.
CVE-2013-0209
published 2013-01-23

CVE-2013-0209: lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions…

PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
45.20%
98.6th percentile
lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct eval injection and SQL injection attacks via crafted parameters, as demonstrated by an eval injection attack against the core_drop_meta_for_table function, leading to execution of arbitrary Perl code.

Affected

21 ranges
VendorProductVersion rangeFixed in
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type
sixapartmovable_type

Detection & IOCsextracted from sources · hover to see the quote

path/mt/mt-upgrade.cgi
path/mt-upgrade.cgi
command__mode=run_actions&installing=1&steps=[["core_drop_meta_for_table","class","<PAYLOAD>"]]
commandv0;use MIME::Base64;system(decode_base64(q(<BASE64_CMD>)));return 0
  • Detect unauthenticated POST requests to mt-upgrade.cgi containing the 'run_actions' mode and 'core_drop_meta_for_table' function name, which indicates active exploitation of the eval injection vulnerability.
  • Flag POST requests to mt-upgrade.cgi where the 'steps' parameter contains 'core_drop_meta_for_table' and a 'class' value — the class value is passed directly into a Perl eval, enabling arbitrary code execution.
  • Detect use of MIME::Base64 and system() calls within the 'class' parameter of POST requests to mt-upgrade.cgi, as this is the payload delivery pattern used to execute OS commands via Perl eval injection.
  • ·The vulnerable endpoint mt-upgrade.cgi requires NO authentication, meaning any remote attacker can reach it directly without credentials. Ensure the CGI script is removed or access-restricted after installation/upgrade is complete.
  • ·The default TARGETURI used by the Metasploit exploit module is '/mt', meaning the full attack path defaults to '/mt/mt-upgrade.cgi'. Deployments using non-default installation paths may reduce (but not eliminate) exposure.
  • ·The vulnerability affects Movable Type 4.2x and 4.3x through 4.38 specifically; the flaw resides in lib/MT/Upgrade.pm invoked via mt-upgrade.cgi.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.