TriNetre - Archive for October 24, 2005

(no longer updated)

« October 23, 2005 | Main | October 25, 2005 »


October 24, 2005
Deleted post on MT mail flaw
[Software] @ 09:15 AM

More than a year ago, I had reported a small flaw in the way MovableType uses Sendmail to send emails. At that time, I had taken down the post on the request of Six Apart. recently I was going though my list of draft posts and saw this post and decided to post it. So, here is the post that was briefly online in March 26, 2004.

MovableType (MT) does not use the '-oi' parameter when calling Sendmail, thus making it possible for a malicious user to prematurely terminate the body of the email notifications sent by the system.

Affected software description

From the software website:

Movable Type is Six Apart's powerful, customizable publishing system which installs on web servers to enable individuals or organizations to manage and update weblogs, journals, and frequently-updated website contents.

Affected software version

Any version upto 2.661 that uses the Sendmail system in Mail.pm Perl modules to send emails from the MT system. I have author has tested in on the latest (at that time) version of Movable Type - 2.661

Am I vulnerable?

If you are using Movable Type 2.661 or older version and have configured the weblog to use Sendmail for sending notifications, you are. To check whether you are using Sendmail, open up the configuration file 'mt.cfg' and search for the line 'MailTransfer smtp'. If this line is comment out or if instead the line reads 'MailTransfer Sendmail', you are using Sendmail and you are vulnerable.

Details of Vulnerability

The vulnerable code exists in the file "base_dir/lib/MT/Mail.pm" that is used to provide support for sending email notifications. Among other things, Mail.pm is used to provide notification to blog owner when a new comment or trackback is received or by a normal used to send reading recommendations. If the weblog is configured to use Sendmail as the backend system to send the emails, a vulnerability exists in the Mail.pm codes which allows a malicious user to prematurely terminate the script after the content he dictates is sent.

Sendmail uses the sequence of a dot in a new line to signal the end of the email's body. Thus, if a comment posted on the weblog by a user (malicious or otherwise) contains a dot-in-a-newline, the content above that sequence will be sent as the email content, while the content below the sequence will not be sent, but will still be stored in the MT database as part of the comment. Similar issue would exist with the text of the trackback received from other weblogs.

How can the vulnerability be exploited?

A lot of weblog owners using MT use notification of comments posting to keep track of the content of the comments posted. This in turn helps them in deciding if a new comment is unwanted (spam or in bad taste) and whether to delete the comment. A spammer or a malicious user could exploit this dependence on email notification to keep track of bad comments by placing the offending part of the comment after a dot-in-a-newline sequence, while keeping the part before the sequence civil. This advisory is not giving an example of such a comment (even though it is trivial to make one) as such to prevent curious users from trying to test it on other blogs.

A side effect of the exploit mentioned above is that MT-Blacklist's "Search & De-spam mode" capability is nullified. MT-Blacklist provides this feature by including a link in the comment notification email. From the MT-Blacklist website:

If you have comment notifications turned on, you will see a link on the bottom of the email. On the resulting page, you can delete the submission, rebuild the entry and related pages and add all or any of the extracted URL strings to your blacklist. After execution, you can also search for other submissions matching your newly updated blacklist or the last submitter's IP address. This feature makes cleaning spam out of your blog a quick and painless task.

However, since this URL is placed in the email after the comment body, using the previously mentioned exploit, the malicious user can prevent the URL from being printed in the email. Even if the author of MT-Blacklist changes his code to place the URL above the comment body, since the blog owner will not see the offending comment in his email, he might not use the "Search & De-spam" provided by the URL.

Similar exploits can be used by malicious MT Trackback and mt-send-entry.cgi usage.

Possible Solution

Call Sendmail with the 'oi' parameter in addition to the existing '-t'. Edit the base_dir/lib/MT/Mail.pm (MT v 2.661) and change line number 88 from the present:

exec $sm_loc, "-t" or

to

exec $sm_loc, "-oi", "-t" or

After editing, save the file. That is it.

Full Disclosure Policy

This vulnerability is being reported following the Full Disclosure Policy (RFPolicy) 2.0.

[Update] I forgot to mention that I have already patched my codes and have disabled the mt-send-entry.cgi file (a long time ago). So, please refrain from testing the bug on my installation.


Link | Comments (0) |