January 5, 2007

Full Disclosure

A little over a month ago, Mike Stay noticed something really bad. Our MovableType installation seemed to be vulnerable to script injection. In fact, it did not seem to be doing any sanitization on user input at all! You could type any (valid) XHTML input a comment, and it would be accepted.

This was very puzzling, as comments used to be sanitized. I contacted Zack Ajmal, who has an MT installation similar to mine, which also seemed to be vulnerable. Searching around the ‘Net, some MT 3.3 blogs seemed to be vulnerable; others did not. Eventually, it transpired that those who had disabled the “nofollow” plugin , had inadvertently disabled comment-sanitization as well1. SixApart, in their wisdom, had bypassed the sanitization code in the body of the application (where it used to take place) and did the sanitization in the plugin instead. Which meant that if you disabled the plugin …

This was bad, and Zack contacted SixApart on December 6. They asked him to hold off on disclosing the vulnerability for 30 days. That interval has passed, and Zack has published details of the vulnerability on his blog. I’m doing so, too, in the interest of getting the word out to those who may be vulnerable.

Until SixApart issues an update, you have two options for fixing the problem

1. Re-enable the “nofollow” plugin.
2. Add an explicit sanitize="1" attribute to any MovableType tag that needs sanitizing:
<MTCommentBody sanitize="1">
<MTCommentPreviewBody  sanitize="1">
...

I’ve taken the latter course. But, whatever you do, make sure you’re not allowing commenters to insert arbitrary javascript code onto your blog!

Update:

MT 3.34 fixes this issue (along with some others). ⊡

1 In my case, “nofollow” is disabled for the comment body, and for the author-link of PGP-signed comments. The OpenPGPComment plugin has its own template tags (<MTPGPCommentBody>, etc.) which are not operated-on by the “nofollow” plugin.

Posted by distler at January 5, 2007 6:12 PM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/1102