CVE-2013-0209

Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution

Title source: metasploit

Description

lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct eval injection and SQL injection attacks via crafted parameters, as demonstrated by an eval injection attack against the core_drop_meta_for_table function, leading to execution of arbitrary Perl code.

Exploits (2)

metasploit WORKING POC EXCELLENT

by Kacper Nowak, Nick Blundell, Gary O\ · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/movabletype_upgrade_exec.rb

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/24321

View Code ZIP pw:eip

References (4)

[Patch, Vendor Advisory] http://www.movabletype.org/2013/01/movable_type_438_patch.html

[Exploit] http://www.sec-1.com/blog/?p=402

[Exploit] http://www.sec-1.com/blog/wp-content/uploads/2013/01/movabletype_upgrade_exec.rb_.txt

[Mailing List] http://openwall.com/lists/oss-security/2013/01/22/3

Scores

EPSS 0.8063

EPSS Percentile 99.1%

Classification

CWE

CWE-287

Status draft

Affected Products (33)

sixapart/movable_type

sixapart/movable_type

sixapart/movable_type

sixapart/movable_type

sixapart/movable_type

sixapart/movable_type

sixapart/movable_type

sixapart/movable_type

sixapart/movable_type

sixapart/movable_type

sixapart/movable_type

sixapart/movable_type

sixapart/movable_type

sixapart/movable_type

sixapart/movable_type

... and 18 more

Timeline

Published Jan 23, 2013

Tracked Since Feb 18, 2026