Movable Type is a professional publishing platform [ Taken from: http://www.movabletype.org ]

Vulnerability description

The ‘static’ parameter to the comment script is not sufficiently sanitised which allows an attacker to break out of the meta redirect url in the response, resulting in a cross site scripting attack.

• Discovered by: Eldar “Wireghoul” Marcussen
• Movable Type BugID: #105441
• Vendor: Six Apart Ltd - http://www.sixapart.com
• Affected versions:
  • Movable Type Open Source 4.x
  • Movable Type Open Source 5.x
  • Movable Type 4.x ( with Professional Pack, Community Pack )
  • Movable Type 5.x ( with Professional Pack, Community Pack )
  • Movable Type Enterprise 4.x

Proof of Concept

http://vuln.com/cgi-bin/mt-comment.cgi?__mode=handle_sign_in&static=">

&logout=1&entry_id=

Solution

Upgrade to the latest versions of Movable Type 4 or Movable Type 5. * Movable Type Open Source 4.36 * Movable Type Open Source 5.05 * Movable Type Open Source 5.1 * Movable Type 4.36( with Professional Pack, Community Pack) * Movable Type 5.05( with Professional Pack, Community Pack) * Movable Type 5.1( with Professional Pack, Community Pack) * Movable Type Enterprise 4.36 * Movable Type Advanced 5.1

Disclosure time line

• 25-May-2011 - Advisory released
• 24-May-2011 - New version released
• 18-May-2011 - Patch produced
• 11-Jan-2011 - Vendor acknowledge vulnerability
• 08-Jan-2011 - Vendor notified through email