Buggy blogging

[Nomen Nescio <nobody () dizum com>]

Portcullis Security Advisory

Tim Brown
tmb () portcullis-security com - www.portcullis-security.com
timb () nth-dimension org uk - www.nth-dimension.org.uk

Vulnerable System:

Movable Type

Vulnerability Title:

Username and password hash for administration interface stored in cookie.

Vulnerability discovery and development:

Tim Brown of Portcullis Computer Security Ltd discovered this vulnerability during an application assessment.  Further 
research was then carried out post assessment and the vendor notified.  The vendor subsequently verified the 
vulnerability.

Portcullis Security Testing Services

Affected systems:

All known versions of Movable Type, vulnerability discovered for version 3.16.

Details:

Following successful login to the administration interface, the cookie mt_user is set.  This cookie contains the string 
<account username>::<account password hash>::<remember flag> and is accessible to any page requested from within the 
same directory as the mt.cgi CGI script.  This string will expire at the end of the users session where the remember 
flag is set to 0 during the initial login, or in 10 years time where the remember flag is set to 1 during the inital 
login.

Impact:

Should an attacker succeed in grabbing this cookie (either via XSS as described above, interception during transmission 
or from the users browser), they will be able to successfully login, until such time as the password for this account 
is changed either by setting a similar cookie in their browser, or by modifying their requests through a man in the 
middle proxy.
  
Exploit:

Exploit code not required.

Vulnerability Title:

Blog directory path can be set to any arbitrary directory path during the creation of new blogs.

Vulnerability discovery and development:

Tim Brown of Portcullis Computer Security Ltd whilst performing an assessment of the Movable Type package.  After 
further research the vendor was notified.  The vendor subsequently verified the vulnerability.

Affected systems:

All known versions of Movable Type, vulnerability discovered for version 3.16.

Details:

Assuming the account a user is logged in as has sufficient permissions to create new blogs, then a blog can be created 
with any arbitrary directory path.

Impact:

An attacker could use this in combination with the upload mechanism issue below to upload SSH private keys into the web 
server system users home directory, overwrite existing CGI scripts, deface other web sites on the web server or carry 
out any other attack which requires the modification of files on the web server.  This is especially dangerous if the 
web server system user has administrative permission which allow it to access any directory and write to any file.
  
Exploit:

Exploit code not required.

Vulnerability Title:

The create entry mechanism is vulnerable to JavaScript injection.

Vulnerability discovery and development:

Tim Brown of Portcullis Computer Security Ltd discovered this vulnerability during an application assessment.  Further 
research was then carried out post assessment and the vendor notified.  The vendor subsequently verified the 
vulnerability.

Affected systems:

All known versions of Movable Type, vulnerability discovered for version 3.16.

Details:

During the creation of new blog entries, it is possible for an attacker to inject JavaScript into the title, category, 
body, extended body and excerpt form elements which will then be executed when a user visits a number of sections of 
the administration interface including the list entries mechanism, the preview entry mechanism as well as the blog 
index and the published entry.

Impact:

An attacker could use this to execute malicious code on visitors computers.
  
Exploit:

Exploit code not required.

Vulnerability Title:

Potential phishing attack via the comments mechanism.

Vulnerability discovery and development:

Tim Brown of Portcullis Computer Security Ltd discovered this vulnerability during an application assessment.  Further 
research was then carried out post assessment and the vendor notified.  The vendor subsequently verified the 
vulnerability.

Affected systems:

All known versions of Movable Type, vulnerability discovered for version 3.16.

Details:

By posting a comment to an entry on a blog, it is possible to create URLs within the web server domain which actually 
forward any one who requests them to a URL on another web server by entering a URL with the comment.  Comments that 
include a URL will be added to the blog entry with the URL encoded as 
http://webserver/path/to/mt-comments.cgi?__mode=red;id=<id> which forwards any user who requests the URL using 
JavaScript to the URL referenced by the id.

Impact:

By forwarding this URL, which may be seen as trusted an attacker may be able to lure its recipients to a malicous site 
of their creation.

Exploit:

Exploit code not required.

Vulnerability Title:

Upload mechanism potentially allows upload of arbitrary code for execution as the web server user.

Vulnerability discovery and development:

Tim Brown of Portcullis Computer Security Ltd discovered this vulnerability during an application assessment.  Further 
research was then carried out post assessment and the vendor notified.  The vendor subsequently verified the 
vulnerability.

Affected systems:

All known versions of Movable Type, vulnerability discovered for version 3.16.

Details:

Since the Movable Type application stores all uploads to a blog within the blog directory path, it may be possible to 
execute arbitrary code by uploading it and requesting the resulting URL.

Impact:

An attacker could use this to upload scripts written in languages such as PHP which the web server may by default 
execute directly from any point within the web root, or in combination with the blog directory path issue above to 
overwrite existing CGI scripts such as those  included within the Movable Type application.

Exploit:

Exploit code not required.

Vulnerability Title:

Username enumeration possible via the password reset mechanism.

Vulnerability discovery and development:

Tim Brown of Portcullis Computer Security Ltd discovered this vulnerability during an application assessment.  Further 
research was then carried out post assessment and the vendor notified.  The vendor subsequently verified the 
vulnerability.

Affected systems:

All known versions of Movable Type, vulnerability discovered for version 3.16.

Details:

Requesting the URL
http://webserver/path/to/mt.cgi?__mode=recover&name=<username> returns pages containing different error messages 
dependent on whether an account with that username exists in the authentication database.  If an account with that 
username exists, the error message is "Birthplace '' does not match stored birthplace for this author", however if no 
account with that username exists, then the error message "No such author with name '<username>'" is instead returned.

Impact:
An attacker could use this to enumerate which account usernames exist in the authentication database.

Exploit:

Exploit code not required.

Copyright: 

Copyright © Portcullis Computer Security Limited 2005, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered 
in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer: 

The information herein contained may change without notice. Use of this information constitutes acceptance for use in 
an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use 
of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security 
Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this 
information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/