[Full-disclosure] Buggy blogging

[Nomen Nescio <nobody@xxxxxxxxx>]

Portcullis Security Advisory

Tim Brown
tmb@xxxxxxxxxxxxxxxxxxxxxxx - www.portcullis-security.com
timb@xxxxxxxxxxxxxxxxxxxx - www.nth-dimension.org.uk

Vulnerable System:

Movable Type

Vulnerability Title:

Username and password hash for administration interface stored in cookie.

Vulnerability discovery and development:

Tim Brown of Portcullis Computer Security Ltd discovered this vulnerability 
during an application assessment.  Further research was then carried out post 
assessment and the vendor notified.  The vendor subsequently verified the 
vulnerability.

Portcullis Security Testing Services

Affected systems:

All known versions of Movable Type, vulnerability discovered for version 3.16.

Details:

Following successful login to the administration interface, the cookie mt_user 
is set.  This cookie contains the string <account username>::<account password 
hash>::<remember flag> and is accessible to any page requested from within the 
same directory as the mt.cgi CGI script.  This string will expire at the end of 
the users session where the remember flag is set to 0 during the initial login, 
or in 10 years time where the remember flag is set to 1 during the inital login.

Impact:

Should an attacker succeed in grabbing this cookie (either via XSS as described 
above, interception during transmission or from the users browser), they will 
be able to successfully login, until such time as the password for this account 
is changed either by setting a similar cookie in their browser, or by modifying 
their requests through a man in the middle proxy.
  
Exploit:

Exploit code not required.

Vulnerability Title:

Blog directory path can be set to any arbitrary directory path during the 
creation of new blogs.

Vulnerability discovery and development:

Tim Brown of Portcullis Computer Security Ltd whilst performing an assessment 
of the Movable Type package.  After further research the vendor was notified.  
The vendor subsequently verified the vulnerability.

Affected systems:

All known versions of Movable Type, vulnerability discovered for version 3.16.

Details:

Assuming the account a user is logged in as has sufficient permissions to 
create new blogs, then a blog can be created with any arbitrary directory path.

Impact:

An attacker could use this in combination with the upload mechanism issue below 
to upload SSH private keys into the web server system users home directory, 
overwrite existing CGI scripts, deface other web sites on the web server or 
carry out any other attack which requires the modification of files on the web 
server.  This is especially dangerous if the web server system user has 
administrative permission which allow it to access any directory and write to 
any file.
  
Exploit:

Exploit code not required.

Vulnerability Title:

The create entry mechanism is vulnerable to JavaScript injection.

Vulnerability discovery and development:

Tim Brown of Portcullis Computer Security Ltd discovered this vulnerability 
during an application assessment.  Further research was then carried out post 
assessment and the vendor notified.  The vendor subsequently verified the 
vulnerability.

Affected systems:

All known versions of Movable Type, vulnerability discovered for version 3.16.

Details:

During the creation of new blog entries, it is possible for an attacker to 
inject JavaScript into the title, category, body, extended body and excerpt 
form elements which will then be executed when a user visits a number of 
sections of the administration interface including the list entries mechanism, 
the preview entry mechanism as well as the blog index and the published entry.

Impact:

An attacker could use this to execute malicious code on visitors computers.
  
Exploit:

Exploit code not required.

Vulnerability Title:

Potential phishing attack via the comments mechanism.

Vulnerability discovery and development:

Tim Brown of Portcullis Computer Security Ltd discovered this vulnerability 
during an application assessment.  Further research was then carried out post 
assessment and the vendor notified.  The vendor subsequently verified the 
vulnerability.

Affected systems:

All known versions of Movable Type, vulnerability discovered for version 3.16.

Details:

By posting a comment to an entry on a blog, it is possible to create URLs 
within the web server domain which actually forward any one who requests them 
to a URL on another web server by entering a URL with the comment.  Comments 
that include a URL will be added to the blog entry with the URL encoded as 
http://webserver/path/to/mt-comments.cgi?__mode=red;id=<id> which forwards any 
user who requests the URL using JavaScript to the URL referenced by the id.

Impact:

By forwarding this URL, which may be seen as trusted an attacker may be able to 
lure its recipients to a malicous site of their creation.

Exploit:

Exploit code not required.

Vulnerability Title:

Upload mechanism potentially allows upload of arbitrary code for execution as 
the web server user.

Vulnerability discovery and development:

Tim Brown of Portcullis Computer Security Ltd discovered this vulnerability 
during an application assessment.  Further research was then carried out post 
assessment and the vendor notified.  The vendor subsequently verified the 
vulnerability.

Affected systems:

All known versions of Movable Type, vulnerability discovered for version 3.16.

Details:

Since the Movable Type application stores all uploads to a blog within the blog 
directory path, it may be possible to execute arbitrary code by uploading it 
and requesting the resulting URL.

Impact:

An attacker could use this to upload scripts written in languages such as PHP 
which the web server may by default execute directly from any point within the 
web root, or in combination with the blog directory path issue above to 
overwrite existing CGI scripts such as those  included within the Movable Type 
application.

Exploit:

Exploit code not required.

Vulnerability Title:

Username enumeration possible via the password reset mechanism.

Vulnerability discovery and development:

Tim Brown of Portcullis Computer Security Ltd discovered this vulnerability 
during an application assessment.  Further research was then carried out post 
assessment and the vendor notified.  The vendor subsequently verified the 
vulnerability.

Affected systems:

All known versions of Movable Type, vulnerability discovered for version 3.16.

Details:

Requesting the URL
http://webserver/path/to/mt.cgi?__mode=recover&name=<username> returns pages 
containing different error messages dependent on whether an account with that 
username exists in the authentication database.  If an account with that 
username exists, the error message is "Birthplace '' does not match stored 
birthplace for this author", however if no account with that username exists, 
then the error message "No such author with name '<username>'" is instead 
returned.

Impact:
An attacker could use this to enumerate which account usernames exist in the 
authentication database.

Exploit:

Exploit code not required.

Copyright: 

Copyright © Portcullis Computer Security Limited 2005, All rights reserved 
worldwide.
Permission is hereby granted for the electronic redistribution of this 
information. It is not to be edited or altered in any way without the express 
written consent of Portcullis Computer Security Limited.

Disclaimer: 

The information herein contained may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are NO 
warranties, implied or otherwise, with regard to this information or its use. 
Any use of this information is at the user's risk. In no event shall the 
author/distributor (Portcullis Computer Security Limited) be held liable for 
any damages whatsoever arising out of or in connection with the use or spread 
of this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/