Debian Bug report logs - #697666
movabletype-opensource: mt-upgrade.cgi vulnerability

version graph

Package: movabletype-opensource; Maintainer for movabletype-opensource is Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>; Source for movabletype-opensource is src:movabletype-opensource.

Reported by: Dominic Hargreaves <dom@earth.li>

Date: Tue, 8 Jan 2013 07:57:01 UTC

Severity: grave

Tags: patch, security

Found in version movabletype-opensource/4.3.8+dfsg-0+squeeze2

Fixed in version movabletype-opensource/4.3.8+dfsg-0+squeeze3

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>:
Bug#697666; Package movabletype-opensource. (Tue, 08 Jan 2013 07:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>. (Tue, 08 Jan 2013 07:57:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: submit@bugs.debian.org
Subject: movabletype-opensource: mt-upgrade.cgi vulnerability
Date: Tue, 8 Jan 2013 07:52:25 +0000
Package: movabletype-opensource
Version: 4.3.8+dfsg-0+squeeze2
Severity: grave
Justification: remote command execution
Tags: security patch

----- Forwarded message from Takeshi Nick Osanai <tosanai@sixapart.com> -----

Date: Tue, 8 Jan 2013 11:26:38 +0900
From: Takeshi Nick Osanai <tosanai@sixapart.com>
To: mtos-dev <mtos-dev@ml.sixapart.com>
Subject: [Mtos-dev] Movable Type 4.38 patch to fix a known upgrading
	security issue
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	version=3.3.1
X-Urchin-Spam-Score-Int: -18
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.2

Dear MT community members,

Six Apart has found a security issue and fixed it in Movable Type 4.2
and MT 4.3.
For those of you who use Movable Type 4.2 and 4.3, Six Apart strongly
recommends that you upgrade to the latest released version of Movable
Type or execute the steps  written in below entry.
This vulnerability does not exist in Movable Type versions 5.0 or
later, including the latest Movable Type, version 5.2.2.

For more detail information, please see the entry.

http://www.movabletype.org/2013/01/movable_type_438_patch.html



-- 
------------------------------------------------------------------------
Takeshi "Nick" Osanai
Movable Type Product and Marketing Manager

Six Apart, Ltd.
tosanai@sixapart.com
http://www.movabletype.org
http://www.movabletype.jp
------------------------------------------------------------------------
_______________________________________________
Mtos-dev mailing list
Mtos-dev@ml.sixapart.com
http://ml.sixapart.com/mailman/listinfo/mtos-dev

----- End forwarded message -----

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



Added tag(s) pending. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Tue, 08 Jan 2013 17:57:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>:
Bug#697666; Package movabletype-opensource. (Tue, 08 Jan 2013 18:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>. (Tue, 08 Jan 2013 18:09:03 GMT) Full text and rfc822 format available.

Message #12 received at 697666@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 697666@bugs.debian.org, team@security.debian.org
Subject: Re: [pkg-mt-om-devel] Bug#697666: movabletype-opensource: mt-upgrade.cgi vulnerability
Date: Tue, 8 Jan 2013 18:04:20 +0000
On Tue, Jan 08, 2013 at 07:52:25AM +0000, Dominic Hargreaves wrote:
> Package: movabletype-opensource
> Version: 4.3.8+dfsg-0+squeeze2
> Severity: grave
> Justification: remote command execution
> Tags: security patch
> 
> ----- Forwarded message from Takeshi Nick Osanai <tosanai@sixapart.com> -----
> 
> Date: Tue, 8 Jan 2013 11:26:38 +0900
> From: Takeshi Nick Osanai <tosanai@sixapart.com>
> To: mtos-dev <mtos-dev@ml.sixapart.com>
> Subject: [Mtos-dev] Movable Type 4.38 patch to fix a known upgrading
> 	security issue
> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
> 	version=3.3.1
> X-Urchin-Spam-Score-Int: -18
> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.2
> 
> Dear MT community members,
> 
> Six Apart has found a security issue and fixed it in Movable Type 4.2
> and MT 4.3.
> For those of you who use Movable Type 4.2 and 4.3, Six Apart strongly
> recommends that you upgrade to the latest released version of Movable
> Type or execute the steps  written in below entry.
> This vulnerability does not exist in Movable Type versions 5.0 or
> later, including the latest Movable Type, version 5.2.2.
> 
> For more detail information, please see the entry.
> 
> http://www.movabletype.org/2013/01/movable_type_438_patch.html

Hi,

I've pushed a fix for this to git:

http://anonscm.debian.org/gitweb/?p=pkg-mt-om/movabletype-opensource.git;a=commit;h=6641bd2f42f5e48ac0a6cd2c0b0ccebea22967cb

Note that much of the patch is whitespace changes, but I though it
would be better to stick with the upstream file rather than trim it
back to the meaningful changes in case of subsequent updates from
upstream.

I've tested this code path by installing the lenny version of MT
and upgrading it to this package.

Security team, shall I upload to security-master?

It might be useful in a DSA to recommend restricting the mt-upgrade.cgi
script to trusted IP addresses, but I don't think it's something we
can do by default, as browser accesss to mt-upgrade.cgi is needed to
complete upgrades.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>:
Bug#697666; Package movabletype-opensource. (Sat, 19 Jan 2013 19:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>. (Sat, 19 Jan 2013 19:21:03 GMT) Full text and rfc822 format available.

Message #17 received at 697666@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Dominic Hargreaves <dom@earth.li>
Cc: 697666@bugs.debian.org, team@security.debian.org
Subject: Re: [pkg-mt-om-devel] Bug#697666: movabletype-opensource: mt-upgrade.cgi vulnerability
Date: Sat, 19 Jan 2013 20:18:10 +0100
[Message part 1 (text/plain, inline)]
On mar., 2013-01-08 at 18:04 +0000, Dominic Hargreaves wrote:
> Security team, shall I upload to security-master?

Yes, please.
> 
> It might be useful in a DSA to recommend restricting the
> mt-upgrade.cgi
> script to trusted IP addresses, but I don't think it's something we
> can do by default, as browser accesss to mt-upgrade.cgi is needed to
> complete upgrades.

To be honest, I'd be comfortable to restrict it to 127.0.0.1/::1 but
that's not really something we can change on a stable update.

Regards,
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>:
Bug#697666; Package movabletype-opensource. (Sun, 20 Jan 2013 21:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>. (Sun, 20 Jan 2013 21:33:03 GMT) Full text and rfc822 format available.

Message #22 received at 697666@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Yves-Alexis Perez <corsac@debian.org>, 697666@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: [pkg-mt-om-devel] Bug#697666: Bug#697666: movabletype-opensource: mt-upgrade.cgi vulnerability
Date: Sun, 20 Jan 2013 21:28:51 +0000
On Sat, Jan 19, 2013 at 08:18:10PM +0100, Yves-Alexis Perez wrote:
> On mar., 2013-01-08 at 18:04 +0000, Dominic Hargreaves wrote:
> > Security team, shall I upload to security-master?
> 
> Yes, please.

Okay, done.

> > It might be useful in a DSA to recommend restricting the
> > mt-upgrade.cgi
> > script to trusted IP addresses, but I don't think it's something we
> > can do by default, as browser accesss to mt-upgrade.cgi is needed to
> > complete upgrades.
> 
> To be honest, I'd be comfortable to restrict it to 127.0.0.1/::1 but
> that's not really something we can change on a stable update.

That is likely to render the site inoperable following an upgrade
with a schema change, because an admin has to log in with their
browser and get redirected to mt-upgrade.cgi. They're advised of
this possibility with a debconf note, but I still think it's risky
to lock peple out of doing this by default.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>:
Bug#697666; Package movabletype-opensource. (Mon, 21 Jan 2013 20:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>. (Mon, 21 Jan 2013 20:51:05 GMT) Full text and rfc822 format available.

Message #27 received at 697666@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: oss-security@lists.openwall.com
Cc: 697666@bugs.debian.org
Subject: CVE request for Movable Type
Date: Mon, 21 Jan 2013 21:48:46 +0100
[Message part 1 (text/plain, inline)]
Hi,

Movable Type 4.38 has been released few weeks ago, fixing a security
issue in the upgrade page.

More information can be found at [1] but basically it looks like missing
input sanitation on the mt-upgrade.cgi page.

As far as I can tell, no CVE has been allocated yet, could someone
allocate one?

Regards,

[1]: http://www.movabletype.org/2013/01/movable_type_438_patch.html
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>:
Bug#697666; Package movabletype-opensource. (Tue, 22 Jan 2013 04:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Seifried <kseifried@redhat.com>:
Extra info received and forwarded to list. Copy sent to Debian Movable Type and OpenMelody team <pkg-mt-om-devel@lists.alioth.debian.org>. (Tue, 22 Jan 2013 04:18:03 GMT) Full text and rfc822 format available.

Message #32 received at 697666@bugs.debian.org (full text, mbox):

From: Kurt Seifried <kseifried@redhat.com>
To: oss-security@lists.openwall.com
Cc: Yves-Alexis Perez <corsac@debian.org>, 697666@bugs.debian.org
Subject: Re: [oss-security] CVE request for Movable Type
Date: Mon, 21 Jan 2013 21:14:54 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/21/2013 01:48 PM, Yves-Alexis Perez wrote:
> Hi,
> 
> Movable Type 4.38 has been released few weeks ago, fixing a
> security issue in the upgrade page.
> 
> More information can be found at [1] but basically it looks like
> missing input sanitation on the mt-upgrade.cgi page.
> 
> As far as I can tell, no CVE has been allocated yet, could someone 
> allocate one?
> 
> Regards,
> 
> [1]:
> http://www.movabletype.org/2013/01/movable_type_438_patch.html

Please use CVE-2013-0209 for this issue.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ/hI+AAoJEBYNRVNeJnmT1mMP/jDNdTdLcLUW2LXXZIO5L7yp
P8krZsVT0A6jNJA4EK3wC/i7XPq8tWVW6zpRJhHEvyvpLovmu97EpIF/ULZxqmM6
mFrtoaJzoqjTKKeHyLlEg2e0TOiMzo8vLGj/T6AoD8phV+1feu12I5AbMBun+41y
inhcNDXZnL5qU8YCNWcY/YpfuheTbRlCehqt94RvIa2/24QFW7HXl9JxIsnZ0k2H
RKERnL5daWorHxjuonUzZRz6N2ApES1py/d67eBSlnYtXr6KLMJzQA2NImkQpykL
094cywuPp5hMjNiPf+RaVnLqJCzaJE6q6PP/iApWrA2id/BfyOEkLgygWr6zIwnG
PYpqk94PmFlCcVjU0hXC3g8rXyvMf04iIQm5A52RLwr0VRMNvuW6Bbyu+RTHItTl
bviGHmscpeEfCm+K7SH8bCXKsVaMEyYOJlNq7HpgDDj3ry9QoF6cf+vkHYI6SbG3
w4Jsv3CDBRRNKunjN6Fp0se3s72LtcB2VUbcmNyMTzF4Qgx0tHD3w0lAsT64ukt6
+zlaCHK6MZiGTmUUGvv3wpOSp1LD0clfv8uhU7rn9H/vUR6X/IZGZKmB3e1Eeoak
7tzkgR7SRYuagxZtqmQ413LZqoZ0CoSxW2toEg72ROX3JK2PtiSDFJAIEmIPSa2K
kxWM2tY4evMUUqqOkQMl
=XScr
-----END PGP SIGNATURE-----



Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Tue, 22 Jan 2013 21:33:10 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Tue, 22 Jan 2013 21:33:10 GMT) Full text and rfc822 format available.

Message #37 received at 697666-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 697666-close@bugs.debian.org
Subject: Bug#697666: fixed in movabletype-opensource 4.3.8+dfsg-0+squeeze3
Date: Tue, 22 Jan 2013 21:32:04 +0000
Source: movabletype-opensource
Source-Version: 4.3.8+dfsg-0+squeeze3

We believe that the bug you reported is fixed in the latest version of
movabletype-opensource, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 697666@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated movabletype-opensource package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 20 Jan 2013 21:18:47 +0000
Source: movabletype-opensource
Binary: movabletype-opensource movabletype-plugin-core movabletype-plugin-zemanta
Architecture: source all
Version: 4.3.8+dfsg-0+squeeze3
Distribution: stable-security
Urgency: low
Maintainer: Dominic Hargreaves <dom@earth.li>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 movabletype-opensource - A well-known blogging engine
 movabletype-plugin-core - Core Movable Type plugins
 movabletype-plugin-zemanta - Zemanta Movable Type plugin
Closes: 697666
Changes: 
 movabletype-opensource (4.3.8+dfsg-0+squeeze3) stable-security; urgency=low
 .
   * Include patch fixing remote execution and SQL injection
     vulnerability in mt-upgrade.cgi (closes: #697666)
Checksums-Sha1: 
 84077f7f480078b541a9367bea145632c002161f 1289 movabletype-opensource_4.3.8+dfsg-0+squeeze3.dsc
 3ec3fd401226f54aa7c3336427f788e04cec48cb 27786 movabletype-opensource_4.3.8+dfsg-0+squeeze3.diff.gz
 7e1f90db2cc666a389ffa11828b3a92a9ac0e452 2917350 movabletype-opensource_4.3.8+dfsg-0+squeeze3_all.deb
 ca2952765aa9c5ceb87347fdec2e9dfabc65d614 172016 movabletype-plugin-core_4.3.8+dfsg-0+squeeze3_all.deb
 0b0e62338171442560ed515d1fb1c03957db9fc5 14992 movabletype-plugin-zemanta_4.3.8+dfsg-0+squeeze3_all.deb
Checksums-Sha256: 
 a0055942344a9fd669713b933db7f545bf2100be156b80e9854da74df5d88c90 1289 movabletype-opensource_4.3.8+dfsg-0+squeeze3.dsc
 226cd31d211e586d6c3cdf9b3cbf27eec263dec718e1f654ac5d3f1fff38c4c1 27786 movabletype-opensource_4.3.8+dfsg-0+squeeze3.diff.gz
 39eaf88166697e5d2f8985bc13f299da8bcd103a060d372f5482cb553ae99cd5 2917350 movabletype-opensource_4.3.8+dfsg-0+squeeze3_all.deb
 402336e17c253c7fb3b33649c6388067c26ce781dcbefbfb474ec9b7926a5102 172016 movabletype-plugin-core_4.3.8+dfsg-0+squeeze3_all.deb
 253f6154bed98fa766e0ae093f9e5f587d0ea8a0fa23085784906b45d3c942c2 14992 movabletype-plugin-zemanta_4.3.8+dfsg-0+squeeze3_all.deb
Files: 
 4812fbddfc6101da8a9913b981065fdb 1289 web optional movabletype-opensource_4.3.8+dfsg-0+squeeze3.dsc
 b03f119ed02949d7e7e5a4f6fca88816 27786 web optional movabletype-opensource_4.3.8+dfsg-0+squeeze3.diff.gz
 a36eee2c2ac3300791915bbba68e548e 2917350 web optional movabletype-opensource_4.3.8+dfsg-0+squeeze3_all.deb
 5e73a3114a57c79b8920d1921402478a 172016 web optional movabletype-plugin-core_4.3.8+dfsg-0+squeeze3_all.deb
 3ce4053a08e22f554e3dcb874775b6da 14992 web optional movabletype-plugin-zemanta_4.3.8+dfsg-0+squeeze3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFQ/GBZYzuFKFF44qURAj40AKD1cJ4x7E40khtEXU6LYrxkw83bMwCgh4yM
D5b7IrSGHx2BUyw+t1cnvdg=
=wPcZ
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Feb 2013 07:29:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 07:34:07 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.