Security Advisory 06 – 037 – The Upload mechanism potentially allows the upload of arbitrary code for execution as the web server user
Vulnerability discovery and development:
Portcullis Security Testing Services.
Credit for Discovery:
Tim Brown – Portcullis Computer Security Ltd.
All known versions of Movable Type, this vulnerability was discovered for version 3.16.
Since the Movable Type application stores all uploads to a blog within the blog directory path, it may be possible to execute arbitrary code by uploading it and requesting the resulting URL.
An attacker could use this to upload scripts written in languages such as PHP which the web server may, by default, execute directly from any point within the web root, or in combination with the blog directory path issue above to overwrite existing CGI scripts such as those included within the Movable Type application.
Exploit code is not required.