CVE-2013-0209

Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution

Title source: metasploit

Description

lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct eval injection and SQL injection attacks via crafted parameters, as demonstrated by an eval injection attack against the core_drop_meta_for_table function, leading to execution of arbitrary Perl code.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/24321

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Kacper Nowak, Nick Blundell, Gary O\ · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/movabletype_upgrade_exec.rb

View Code ZIP pw:eip

References (4)

Core 4

Core References

Exploit x_refsource_misc

http://www.sec-1.com/blog/?p=402

Patch, Vendor Advisory x_refsource_confirm

http://www.movabletype.org/2013/01/movable_type_438_patch.html

Exploit x_refsource_misc

http://www.sec-1.com/blog/wp-content/uploads/2013/01/movabletype_upgrade_exec.rb_.txt

Mailing List mailing-list x_refsource_mlist

http://openwall.com/lists/oss-security/2013/01/22/3

Scores

EPSS 0.8063

EPSS Percentile 99.1%

Details

CWE

CWE-287

Status published

Products (21)

sixapart/movable_type 4.21

sixapart/movable_type 4.22

sixapart/movable_type 4.23

sixapart/movable_type 4.24

sixapart/movable_type 4.25

sixapart/movable_type 4.26

sixapart/movable_type 4.27

sixapart/movable_type 4.28 (3 CPE variants)

sixapart/movable_type 4.29 (3 CPE variants)

sixapart/movable_type 4.31

... and 11 more

Published Jan 23, 2013

Tracked Since Feb 18, 2026