[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE request: SQL injection in MovableType xml-rpc interface
From:       John Lightsey <john () nixnuts ! net>
Date:       2016-06-22 21:48:55
Message-ID: 1466632135.2458.9.camel () nixnuts ! net
[Download RAW message or body]


On Wed, 2016-06-22 at 17:34 -0400, cve-assign@mitre.org wrote:
> > SixApart just released new versions of MovableType 6.2 and 6.1 to fix an SQL
> > injection in the xml-rpc interface.  
> 
> > https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html
> 
> This says:
> 
> >> Previous versions, including Movable Type 6.2.4 and 6.1.2, are
> >> susceptible to SQL injection attacks via XML-RPC interface.
> 
> >> AFFECTED VERSIONS OF MOVABLE TYPE
> 
> >>        Movable Type Pro 6.0.x, 6.1.x, 6.2.x
> >>        Movable Type Advanced 6.0.x, 6.1.x, 6.2.x
> 
> Use CVE-2016-5742.
> 
> > The vulnerability also affects the older GPLv2 licensed MovableType
> > 5.2.13.
> 
> Is there a separate public reference stating that 5.2.13 is affected?
> Or, do you mean that you've done your own analysis and concluded
> that 5.2.13 has the same vulnerability as 6.x? (Either one seems
> fine, and wouldn't affect the number of CVE IDs - we are mostly
> interested in linking the CVE to the primary-source reference about
> the 5.2.13 vulnerability, if such a reference exists elsewhere.)
> 

I sent the original vulnerability report to SixApart and based my report on the
5.2.13 version of the code.
["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]