-------------------------------------------------------------------------------------------- 20110525 - Justanotherhacker.com : Cross site scripting in Movable Type JAHx112 - http://www.justanotherhacker.com/advisories/JAHx112.txt -------------------------------------------------------------------------------------------- Movable Type is a professional publishing platform [ Taken from: http://www.movabletype.org ] --- Vulnerability description --- The 'static' parameter to the comment script is not sufficiently sanitised which allows an attacker to break out of the meta redirect url in the response, resulting in a cross site scripting attack. Discovered by: Eldar "Wireghoul" Marcussen Type: Cross Site Scripting Severity: Low Release: Responsible CVE: Unassigned Movable Type BugID: #105441 Vendor: Six Apart Ltd - http://www.sixapart.com Affected versions: * Movable Type Open Source 4.x * Movable Type Open Source 5.x * Movable Type 4.x ( with Professional Pack, Community Pack ) * Movable Type 5.x ( with Professional Pack, Community Pack ) * Movable Type Enterprise 4.x --- Proof of Concept --- http://vuln.com/cgi-bin/mt-comment.cgi?__mode=handle_sign_in&static=">&logout=1&entry_id= --- Solution --- Upgrade to the latest versions of Movable Type 4 or Movable Type 5. * Movable Type Open Source 4.36 * Movable Type Open Source 5.05 * Movable Type Open Source 5.1 * Movable Type 4.36( with Professional Pack, Community Pack) * Movable Type 5.05( with Professional Pack, Community Pack) * Movable Type 5.1( with Professional Pack, Community Pack) * Movable Type Enterprise 4.36 * Movable Type Advanced 5.1 --- Disclosure time line --- 25-May-2011 - Advisory released 24-May-2011 - New version released 18-May-2011 - Patch produced 11-Jan-2011 - Vendor acknowledge vulnerability 08-Jan-2011 - Vendor notified through email