IPA/ISEC：Vulnerabilities：Security Alert for Vulnerability in Movable Type

Published: Dec 8, 2010
>> JAPANESE

1.Overview

Movable Type is developed by Six Apart, Ltd.which is a web content management system software to create and manage the content of websites and blogs. Movable Type is vulnerable to SQL injection due to a flaw in its database processing. If exploited, an attacker could disclose and/or delete the information held in the Movable Type system by manipulating the database.

To get a fixed version, go to the following URL:
http://www.sixapart.jp/movabletype/news/2010/12/08-1100.html (Japanese)

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2010-000061

IPA received a report concerning this vulnerability and countermeasure directly from the product vendor on December 2, 2010, and released it today after JPCERT Coordination Center (JPCERT/CC) made adjustments with the vendor.

2.Impact

An attacker could manipulate the database, enabling the disclosure and/or deletion of the information held in the Movable Type system when the website is attacked by SQL injection.

3.Solution

To fix this vulnerability, update the software to the fixed version provided by the product vendor.

4.CVSS Severity

(1)Evaluation Result

(2) Base Score Metrics

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as "SQL Injection (CWE-89)".

Contact