Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

January 5, 2007

Full Disclosure

A little over a month ago, Mike Stay noticed something really bad. Our MovableType installation seemed to be vulnerable to script injection. In fact, it did not seem to be doing any sanitization on user input at all! You could type any (valid) XHTML input a comment, and it would be accepted.

This was very puzzling, as comments used to be sanitized. I contacted Zack Ajmal, who has an MT installation similar to mine, which also seemed to be vulnerable. Searching around the ‘Net, some MT 3.3 blogs seemed to be vulnerable; others did not. Eventually, it transpired that those who had disabled the “nofollow” plugin , had inadvertently disabled comment-sanitization as well1. SixApart, in their wisdom, had bypassed the sanitization code in the body of the application (where it used to take place) and did the sanitization in the plugin instead. Which meant that if you disabled the plugin …

This was bad, and Zack contacted SixApart on December 6. They asked him to hold off on disclosing the vulnerability for 30 days. That interval has passed, and Zack has published details of the vulnerability on his blog. I’m doing so, too, in the interest of getting the word out to those who may be vulnerable.

Until SixApart issues an update, you have two options for fixing the problem

  1. Re-enable the “nofollow” plugin.
  2. Add an explicit sanitize="1" attribute to any MovableType tag that needs sanitizing:
    <MTCommentBody sanitize="1">
    <MTCommentPreviewBody  sanitize="1">
    <MTCommentAuthorLink  sanitize="1">
    ...

I’ve taken the latter course. But, whatever you do, make sure you’re not allowing commenters to insert arbitrary javascript code onto your blog!

Update:

MT 3.34 fixes this issue (along with some others). ⊡

1 In my case, “nofollow” is disabled for the comment body, and for the author-link of PGP-signed comments. The OpenPGPComment plugin has its own template tags (<MTPGPCommentBody>, etc.) which are not operated-on by the “nofollow” plugin.

Posted by distler at January 5, 2007 6:12 PM

TrackBack URL for this Entry:   https://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/1102

1 Comment & 0 Trackbacks

Re: Full Disclosure

Wow, that sounds pretty bad. I wonder why they haven’t made a public notification, or moved in to fix it. Especially after you have publicised it thus - it must be easy for someone to track down blogs powered by the version of MT you mention.

Posted by: Hindu Sutra on January 5, 2007 10:47 PM | Permalink | Reply to this

Post a New Comment