[<prev] [next>] [month] [year] [list]
Date: Mon, 4 Jun 2007 11:49:35 +0100
From: "advisories" <advisories@...tcullis-security.com>
To: <moderators@...db.org>, <bugtraq@...urityfocus.com>,
<full-disclosure@...ts.grok.org.uk>, <vuln@...unia.com>,
<news@...uriteam.com>
Subject: Portcullis Computer Security Ltd - Advisories
Hello
Please find attached the above advisories from Portcullis Computer
Security Ltd.
Kind Regards
Tracey Parry
Advisories
Portcullis Computer Security Ltd
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company,
registered in England in accordance with the Companies
Act under number 02763799. The registered office
address of Portcullis Computer Security Limited is:
The Grange Barn, Pikes End, Pinner, MIDDX,
United Kingdom, HA5 2EX.
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and
do not represent the opinion of the organisation. Access
to this email by persons other than the intended recipient
is strictly prohibited.
If you are not the intended recipient, any disclosure,
copying, distribution or other action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice
contained in this email is subject to the terms and
conditions expressed in the applicable Portcullis Computer
Security Limited terms of business.
###############################################################
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared
by MailMarshal.
#####################################################################################
[ CONTENT OF TYPE text/html SKIPPED ]
Portcullis Security Advisory 06-038
Vulnerable System:
Movable Type
Vulnerability Title:
Username enumeration is possible via the password reset mechanism.
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit For Discovery:
Tim Brown - Porcullis Computer Security Ltd.
Affected systems:
All known versions of Movable Type, this vulnerability was discovered for version 3.16.
Details:
Requesting the URL http://webserver/path/to/mt.cgi?__mode=recover&name=<username> returns pages containing different error messages dependent on whether an account with that username exists in the authentication database or not. If an account with that username exists, the error message is "'Birthplace' does not match stored 'birthplace' for this author"; however, if no account with that username exists, then the error message "No such author with name '<username>'" is instead returned.
Impact:
An attacker could use this to enumerate the account usernames which exist in the authentication database.
Exploit:
Exploit code is not required.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Portcullis Security Advisory - 06-033
Vulnerable System:
Movable Type
Vulnerability Title:
The username and password hash for the administration interface is stored within a cookie.
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit For Discovery:
Tim Brown - Portcullis Computer-Security Ltd.
Affected systems:
All known versions of Movable Type, the vulnerability discovered was for version 3.16.
Details:
Following a successful login to the administration interface, the cookie mt_user is set. This cookie contains the string <account username>::<account password hash>::<remember flag> and is accessible to any page requested from within the same directory as the mt.cgi CGI script. This string will expire at the end of the users session where the remember flag is set to 0 during the initial login, or in 10 years time where the remember flag is set to 1 during the inital login.
Impact:
Should an attacker succeed in grabbing this cookie (either via Cross-site Scripting(XSS) as described above, interception during transmission or from the user's browser), they will be able to successfully login, until such time as the password for this account is changed either by setting a similar cookie in their browser, or by modifying their requests through a Man-In-The-Middle proxy.
Exploit:
Exploit code is not required.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Portcullis Security Advisory 06-034
Vulnerable System:
Movable Type
Vulnerability Title:
The blog directory path can be set to any arbitrary directory path during the creation of new blogs.
Vulnerability discovery and development:
Portcullis Security Testing Services.
Credit for Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Movable Type, this vulnerability was discovered for version 3.16.
Details:
Assuming the account that the user is logged in with has sufficient permissions to create new blogs, then a blog can be created with any arbitrary directory path.
Impact:
An attacker could use this in combination with the upload mechanism issue below to upload SSH private keys into the web server system users home directory, overwrite existing CGI scripts, deface other web sites on the web server or carry out any other attack which requires the modification of files on the web server. This is especially dangerous if the web server system user has administrative permission which allow it to access any directory and write to any file.
Exploit:
Exploit code is not required.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Portcullis Security Advisory 06-035
Vulnerable System:
Movable Type.
Vulnerability Title:
The create entry mechanism is vulnerable to JavaScript injection.
Vulnerability Discovery And Development:
Portcullis Security Testing Services
Credit for Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Movable Type, this vulnerability was discovered for version 3.16.
Details:
During the creation of new blog entries, it is possible for an attacker to inject JavaScript into the title, category, body, extended body and excerpt form elements which will then be executed when a user visits a number of sections of the administration interface including the list entries mechanism, the preview entry mechanism as well as the blog index and the published entry.
Impact:
An attacker could use this to execute malicious code on visitors computers.
Exploit:
Exploit code is not required.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Portcullis Security Advisory 06-036
Vulnerable System:
Movable Type
Vulnerability Title:
A potential phishing attack via the comments mechanism.
Vulnerability Discovery And Development:
Portcullis Security Testing Services
Credit for Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Movable Type, the vulnerability was discovered for version 3.16.
Details:
By posting a comment to an entry on a blog, it is possible to create URLs within the web server domain which actually forward anyone who requests them to a URL on another web server by entering a URL with the comment. Comments that include a URL will be added to the blog entry with the URL encoded as http://webserver/path/to/mt-comments.cgi?__mode=red;id=<id> which forwards any user who requests the URL using JavaScript to the URL referenced by the id.
Impact:
By forwarding this URL, which may be seen as trusted an attacker may be able to lure its recipients to a malicous site of their creation.
Exploit:
Exploit code is not required.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Portcullis Security Advisory 06-037
Vulnerable System:
Movable Type
Vulnerability Title:
The Upload mechanism potentially allows the upload of arbitrary code for execution as the web server user.
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit for Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Movable Type, this vulnerability was discovered for version 3.16.
Details:
Since the Movable Type application stores all uploads to a blog within the blog directory path, it may be possible to execute arbitrary code by uploading it and requesting the resulting URL.
Impact:
An attacker could use this to upload scripts written in languages such as PHP which the web server may, by default, execute directly from any point within the web root, or in combination with the blog directory path issue above to overwrite existing CGI scripts such as those included within the Movable Type application.
Exploit:
Exploit code is not required.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux