Movable Type User Registration Restriction Bypass

medium Nessus Plugin ID 55410

Synopsis

A blog running on the remote web server has a restriction bypass vulnerability.

Description

The version of Movable Type running on the remote host has a restriction bypass vulnerability. It is possible to create new user accounts even when registration has been disabled in the blog configuration.

A remote attacker could exploit this to register new accounts for blogs that do not allow registration.

This version of Movable Type likely has other unspecified vulnerabilities although Nessus has not checked for them.

Solution

Upgrade to Movable Type 4.361 / 5.051 / 5.11 or later.

See Also

http://www.nessus.org/u?2ebc223f

Plugin Details

Severity: Medium

ID: 55410

File Name: movabletype_registration_bypass.nasl

Version: 1.10

Type: remote

Family: CGI abuses

Published: 6/23/2011

Updated: 6/5/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

CVSS Score Rationale: No cve available for this vulnerability.

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: manual

Vulnerability Information

CPE: cpe:/a:sixapart:movable_type

Required KB Items: www/movabletype

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No known exploits are available

Patch Publication Date: 6/8/2011

Vulnerability Publication Date: 6/8/2011

Reference Information

BID: 48195