CSS found in Movable Type

From: DarkHunter (darkhunter7_at_hackermail.com)
Date: 05/12/03

  • Next message: Jordan Wiens: "Re: CSS found in Movable Type" 
    Date: 12 May 2003 18:26:59 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Summary:
    Movable Type is a decentralized web-based personal publishing system
    designed to ease maintenance of regularly-updated content. This content
    can consist of, but is not limited to, entries in a weblog or online
    journal, photographs in an online photo gallery, news headlines on a
    newspaper site, or articles in an online magazine.

    Details:
    Vendor's site: www.movabletype.org

    Vulnerable systems:
    Movable Type version 2.63 and prior.

    Cross Site Scripting Vulnerability found in writing the comments, in the
    Comments section there is sevral textboxs:
    Name, Email Address, URL and Comments.
    and all the textboxs allow using the javascript codes.
    in order to causes a CSS attack on the target site we need to write a
    javascript code in the Name textbox (in some versions u can write the
    javascript code in the other textboxs of the Comments).

    Examples:
    You can use this javascripts codes:
    <script>alert(document.cookie)</script>
    <script>alert("CSS discovered by DarkHunter")</script>
    "DarkHunter><script> .. (This code is so bad :) .. it causes disappering
    of all the Comments textboxs and buttons .. in other words every thing
    after this code will disapper).
    and of course there are many codes that u can use.

    Solution:
    Edit the source code to strip malicious characters from Name, Email
    Address, URL and Comments textboxs or escape malicious characters using
    addslashes().
    check the vendor's website for new patches.

    Additional information:
    The information has been provided by DarkHunter.

  • Next message: Jordan Wiens: "Re: CSS found in Movable Type"