Vulnerabilities > CVE-2013-2184 - Code vulnerability in Sixapart Movable Type
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3183.NASL description Multiple vulnerabilities have been discovered in Movable Type, a blogging system. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2013-2184 Unsafe use of Storable::thaw in the handling of comments to blog posts could allow remote attackers to include and execute arbitrary local Perl files or possibly remotely execute arbitrary code. - CVE-2014-9057 Netanel Rubin from Check Point Software Technologies discovered a SQL injection vulnerability in the XML-RPC interface allowing remote attackers to execute arbitrary SQL commands. - CVE-2015-1592 The Perl Storable::thaw function is not properly used, allowing remote attackers to include and execute arbitrary local Perl files and possibly remotely execute arbitrary code. last seen 2020-03-17 modified 2015-03-13 plugin id 81793 published 2015-03-13 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81793 title Debian DSA-3183-1 : movabletype-opensource - security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3183. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(81793); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2013-2184", "CVE-2014-9057", "CVE-2015-1592"); script_xref(name:"DSA", value:"3183"); script_name(english:"Debian DSA-3183-1 : movabletype-opensource - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities have been discovered in Movable Type, a blogging system. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2013-2184 Unsafe use of Storable::thaw in the handling of comments to blog posts could allow remote attackers to include and execute arbitrary local Perl files or possibly remotely execute arbitrary code. - CVE-2014-9057 Netanel Rubin from Check Point Software Technologies discovered a SQL injection vulnerability in the XML-RPC interface allowing remote attackers to execute arbitrary SQL commands. - CVE-2015-1592 The Perl Storable::thaw function is not properly used, allowing remote attackers to include and execute arbitrary local Perl files and possibly remotely execute arbitrary code." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712602" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774192" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-2184" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-9057" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2015-1592" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/movabletype-opensource" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2015/dsa-3183" ); script_set_attribute( attribute:"solution", value: "Upgrade the movabletype-opensource packages. For the stable distribution (wheezy), these problems have been fixed in version 5.1.4+dfsg-4+deb7u2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SixApart MovableType Storable Perl Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:movabletype-opensource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"movabletype-opensource", reference:"5.1.4+dfsg-4+deb7u2")) flag++; if (deb_check(release:"7.0", prefix:"movabletype-plugin-core", reference:"5.1.4+dfsg-4+deb7u2")) flag++; if (deb_check(release:"7.0", prefix:"movabletype-plugin-zemanta", reference:"5.1.4+dfsg-4+deb7u2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id MOVABLETYPE_526.NASL description According to its version number, the Movable Type install hosted on the remote web server is affected by an unspecified flaw when the last seen 2020-06-01 modified 2020-06-02 plugin id 69051 published 2013-07-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69051 title Movable Type 5.2.X < 5.2.6 Unspecified Vulnerability code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(69051); script_version("1.6"); script_cvs_date("Date: 2019/11/27"); script_cve_id("CVE-2013-2184"); script_bugtraq_id(60570); script_name(english:"Movable Type 5.2.X < 5.2.6 Unspecified Vulnerability"); script_summary(english:"Checks the version of Movable Type"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a blog application that is affected by an unspecified vulnerability."); script_set_attribute(attribute:"description", value: "According to its version number, the Movable Type install hosted on the remote web server is affected by an unspecified flaw when the 'comment_state()' function is processed by the 'unserialize()' function. This flaw is due to an issue with the Perl 'Storable::thaw()' function, which is considered unsafe to use on untrusted input. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.openwall.com/lists/oss-security/2013/06/14/1"); # https://perl5.git.perl.org/perl.git/commit/664f237a84176c09b20b62dbfe64dd736a7ce05e script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b89bf14e"); # https://movabletype.org/documentation/appendices/release-notes/movable-type-526-release-notes.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ab9ef14e"); script_set_attribute(attribute:"solution", value: "Upgrade to version 5.2.6 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-2184"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/13"); script_set_attribute(attribute:"patch_publication_date", value:"2013/06/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/24"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:sixapart:movable_type"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("movabletype_detect.nasl"); script_require_keys("www/movabletype", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); install = get_install_from_kb( appname : "movabletype", port : port, exit_on_fail : TRUE ); dir = install["dir"]; install_loc = build_url(port:port, qs:dir); version = install["ver"]; if (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, "Movable Type", install_loc); if (report_paranoia < 2) audit(AUDIT_PARANOID); ver = split(version, sep:".", keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); # Versions 5.2.x less than 5.2.6 are vulnerable if ( version =~ "^5\.2" && (ver[0] == 5 && ver[1] == 2 && ver[2] < 6) ) { if (report_verbosity > 0) { report = '\n URL : ' +install_loc+ '\n Installed version : ' +version+ '\n Fixed version : 5.2.6\n'; security_hole(port:port, extra:report); } else security_hole(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, "Movable Type", install_loc, version);