--------------------------------------------------------------------------------------------
20110525 - Justanotherhacker.com : Cross site scripting in Movable Type
JAHx112 - http://www.justanotherhacker.com/advisories/JAHx112.txt
--------------------------------------------------------------------------------------------
Movable Type is a professional publishing platform
[ Taken from: http://www.movabletype.org ]
--- Vulnerability description ---
The 'static' parameter to the comment script is not sufficiently sanitised which allows an attacker
to break out of the meta redirect url in the response, resulting in a cross site scripting attack.
Discovered by: Eldar "Wireghoul" Marcussen
Type: Cross Site Scripting
Severity: Low
Release: Responsible
CVE: Unassigned
Movable Type BugID: #105441
Vendor: Six Apart Ltd - http://www.sixapart.com
Affected versions:
* Movable Type Open Source 4.x
* Movable Type Open Source 5.x
* Movable Type 4.x ( with Professional Pack, Community Pack )
* Movable Type 5.x ( with Professional Pack, Community Pack )
* Movable Type Enterprise 4.x
--- Proof of Concept ---
http://vuln.com/cgi-bin/mt-comment.cgi?__mode=handle_sign_in&static="><script>alert(document.cookie)</script>&logout=1&entry_id=
--- Solution ---
Upgrade to the latest versions of Movable Type 4 or Movable Type 5.
* Movable Type Open Source 4.36
* Movable Type Open Source 5.05
* Movable Type Open Source 5.1
* Movable Type 4.36( with Professional Pack, Community Pack)
* Movable Type 5.05( with Professional Pack, Community Pack)
* Movable Type 5.1( with Professional Pack, Community Pack)
* Movable Type Enterprise 4.36
* Movable Type Advanced 5.1
--- Disclosure time line ---
25-May-2011 - Advisory released
24-May-2011 - New version released
18-May-2011 - Patch produced
11-Jan-2011 - Vendor acknowledge vulnerability
08-Jan-2011 - Vendor notified through email