1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
Candidate: CVE-2013-0209
PublicDate: 2013-01-22
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0209
http://www.movabletype.org/2013/01/movable_type_438_patch.html
Description:
lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through
4.38 does not require authentication for requests to database-migration
functions, which allows remote attackers to conduct eval injection and SQL
injection attacks via crafted parameters, as demonstrated by an eval
injection attack against the core_drop_meta_for_table function, leading to
execution of arbitrary Perl code.
Ubuntu-Description:
Notes:
Bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697666
Priority: high
Discovered-by:
Assigned-to:
Patches_movabletype-opensource:
vendor: http://anonscm.debian.org/gitweb/?p=pkg-mt-om/movabletype-opensource.git;a=commit;h=6641bd2f42f5e48ac0a6cd2c0b0ccebea22967cb
upstream_movabletype-opensource: released (5.1.2+dfsg-1)
hardy_movabletype-opensource: DNE
lucid_movabletype-opensource: ignored (reached end-of-life)
oneiric_movabletype-opensource: ignored (reached end-of-life)
precise_movabletype-opensource: ignored (reached end-of-life)
precise/esm_movabletype-opensource: DNE (precise was needed)
quantal_movabletype-opensource: not-affected (5.1.4+dfsg-1)
raring_movabletype-opensource: not-affected
saucy_movabletype-opensource: not-affected
trusty_movabletype-opensource: not-affected
utopic_movabletype-opensource: not-affected
vivid_movabletype-opensource: DNE
vivid/stable-phone-overlay_movabletype-opensource: DNE
vivid/ubuntu-core_movabletype-opensource: DNE
wily_movabletype-opensource: DNE
xenial_movabletype-opensource: DNE
yakkety_movabletype-opensource: DNE
zesty_movabletype-opensource: DNE
devel_movabletype-opensource: DNE
|