Date: Thu, 12 Feb 2015 07:25:38 -0600 From: John Lightsey <john@...nuts.net> To: oss-security@...ts.openwall.com Subject: CVE request: MovableType before 5.2.12 Hi there, MoveableType 5.2.12 was released today to fix a flaw where Perl's Storable::thaw() was called on data sent by unauthenticated remote users in some interfaces. https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html The payload example provided to SixApart was a local file inclusion attack, but unauthenticated arbitrary remote code execution should be straightforward by tailoring the payload for the mix of Perl installed on the system running MTOS. Please assign a CVE number for this issue. John Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.