Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Feb 2015 07:25:38 -0600
From: John Lightsey <john@...nuts.net>
To: oss-security@...ts.openwall.com
Subject: CVE request: MovableType before 5.2.12

Hi there,

MoveableType 5.2.12 was released today to fix a flaw where Perl's
Storable::thaw() was called on data sent by unauthenticated remote users
in some interfaces.

https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html

The payload example provided to SixApart was a local file inclusion
attack, but unauthenticated arbitrary remote code execution should be
straightforward by tailoring the payload for the mix of Perl installed
on the system running MTOS.

Please assign a CVE number for this issue.

John

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ