movabletype-opensource possible remote execute issue: workaround

To: debian-security@lists.debian.org
Subject: movabletype-opensource possible remote execute issue: workaround
From: Dominic Hargreaves <dom@earth.li>
Date: Thu, 10 Jan 2013 11:19:45 +0000
Message-id: <[🔎] 20130110111945.GB5458@urchin.earth.li>

Hi,

If you use Movabletype from Debian stable, you may be exposed to a
possible SQL injection attack and remote code execution attack, as
described at

http://www.movabletype.org/2013/01/movable_type_438_patch.html

There is an update in the pipeline as discussed in

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697666

but you may wish to temporarily disable access to mt-upgrade.cgi
(which should not affect normal operation of MT) until this is
released.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Reply to:

Prev by Date: Re: [SECURITY] [DSA 2601-1] gnupg, gnupg2 security update
Next by Date: Iceweasel ESR 10 security update.
Previous by thread: Re: [SECURITY] [DSA 2601-1] gnupg, gnupg2 security update
Next by thread: Iceweasel ESR 10 security update.
Index(es):
- Date
- Thread