CVE-2013-0209
published 2013-01-23CVE-2013-0209: lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions…
PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
45.20%
98.6th percentile
lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct eval injection and SQL injection attacks via crafted parameters, as demonstrated by an eval injection attack against the core_drop_meta_for_table function, leading to execution of arbitrary Perl code.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
| sixapart | movable_type | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to mt-upgrade.cgi containing the 'run_actions' mode and 'core_drop_meta_for_table' function name, which indicates active exploitation of the eval injection vulnerability. ↗
- →Flag POST requests to mt-upgrade.cgi where the 'steps' parameter contains 'core_drop_meta_for_table' and a 'class' value — the class value is passed directly into a Perl eval, enabling arbitrary code execution. ↗
- →Detect use of MIME::Base64 and system() calls within the 'class' parameter of POST requests to mt-upgrade.cgi, as this is the payload delivery pattern used to execute OS commands via Perl eval injection. ↗
- ·The vulnerable endpoint mt-upgrade.cgi requires NO authentication, meaning any remote attacker can reach it directly without credentials. Ensure the CGI script is removed or access-restricted after installation/upgrade is complete. ↗
- ·The default TARGETURI used by the Metasploit exploit module is '/mt', meaning the full attack path defaults to '/mt/mt-upgrade.cgi'. Deployments using non-default installation paths may reduce (but not eliminate) exposure. ↗
- ·The vulnerability affects Movable Type 4.2x and 4.3x through 4.38 specifically; the flaw resides in lib/MT/Upgrade.pm invoked via mt-upgrade.cgi. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Movable Type 4.2x/4.3x - Web Upgrade Remote Code Execution (Metasploit)
exploitdb·2013-01-07·CVSS 7.5
CVE-2013-0209 [HIGH] Movable Type 4.2x/4.3x - Web Upgrade Remote Code Execution (Metasploit)
Movable Type 4.2x/4.3x - Web Upgrade Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit4 'Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution',
'Description' => %q{
This module can be used to execute a payload on MoveableType (MT) that
exposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi),
that is used during installation and updating of the platform.
The vulnerability arises due to the following properties:
1. This script may be invoked remotely without requiring authentication
to any MT instance.
2. Through
Metasploit
Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution
metasploit
Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution
Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution
This module can be used to execute a payload on MoveableType (MT) that exposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi), that is used during installation and updating of the platform. The vulnerability arises due to the following properties: 1. This script may be invoked remotely without requiring authentication to any MT instance. 2. Through a crafted POST request, it is possible to invoke particular database migration functions (i.e. functions that bring the existing database up-to-date with an updated codebase) by name and with particular parameters. 3. A particular migration function, core_drop_meta_for_table, allows a class parameter to be set which is used directly in a perl eval statement, allowing perl c
No writeups or analysis indexed.
http://openwall.com/lists/oss-security/2013/01/22/3http://www.movabletype.org/2013/01/movable_type_438_patch.htmlhttp://www.sec-1.com/blog/?p=402http://www.sec-1.com/blog/wp-content/uploads/2013/01/movabletype_upgrade_exec.rb_.txthttp://openwall.com/lists/oss-security/2013/01/22/3http://www.movabletype.org/2013/01/movable_type_438_patch.htmlhttp://www.sec-1.com/blog/?p=402http://www.sec-1.com/blog/wp-content/uploads/2013/01/movabletype_upgrade_exec.rb_.txt
2013-01-23
Published