Moveable Type 4.x unauthenticated remote command execution
Description
Movable Type 4.x contains an unauthenticated remote command execution vulnerability in the mt-upgrade.cgi script. This script, typically accessible at /cgi/mt/mt-upgrade.cgi, is intended for platform installation and updates but can be invoked remotely without authentication. An attacker can send a specially crafted POST request to trigger database migration functions with arbitrary parameters. Specifically, the core_drop_meta_for_table migration function accepts a class parameter that is passed directly into a Perl eval() statement without proper sanitization, enabling arbitrary Perl code injection and execution on the server.
Remediation
Take the following steps to remediate this vulnerability:
1. Immediate Mitigation:
- Restrict access to mt-upgrade.cgi at the web server level by blocking external access or requiring authentication
- If the upgrade script is not actively needed, rename or remove it from the web-accessible directory
2. Permanent Fix:
- Upgrade to Movable Type version 4.38 or later, which includes a patch for this vulnerability
- If immediate upgrade is not possible, apply the official security patch available from Movable Type (see references)
3. Verification:
- After patching, verify that mt-upgrade.cgi cannot be accessed without proper authentication
- Review server logs for any suspicious access attempts to mt-upgrade.cgi prior to remediation
- Check for signs of compromise if unauthorized access is detected in logs