Published:2018/07/18  Last Updated:2018/07/18

JVN#62423700
Movable Type plugin MTAppjQuery vulnerable to PHP code execution

Overview

Movable Type plugin MTAppjQuery contains a PHP code execution vulnerability.

Products Affected

  • MTAppjQuery 1.8.1 and earlier

Description

MTAppjQuery provided by bit part LLC is a plugin for Movable Type.  An older version PHP library Uploadify is incorporated in MTAppjQuery v1.8.1 and earlier versions and the older versions of Uploadify contains unrestricted upload of arbitrary file (CWE-434), which may lead to arbitrary PHP code execution if MTAppjQuery is used.

Impact

A remote attacker may execute arbitrary PHP code on the server.

Solution

Update MTAppjQuery
Update to the latest version according to the information provided by the developer.
According to the developer, delete the Uplodify directory manually if the latest update cannot be applied.

Vendor Status

Vendor Link
bit part LLC About incorrect access to the Uploadify included by the past MTAppjQuery
[Re posting] About incorrect access to the Uploadify included by the MTAppjQuery v1.8.1 and earlier

References

  1. Sucuri Blog
    Uploadify, Uploadify and Uploadify – The New TimThumb?

JPCERT/CC Addendum

bit part LLC received reports that indicate unauthorized massive accesses to MTAppjQuery, bit part LLC has already released the update and also published an alert for the users of MTAppjQuery to delete Uploadify.
This advisory is to notify the users of MTAppjQuery that there is a vulnerability caused by the older versions of Uploadify and its risk and impact so that users can address to this vulnerability appropriately.

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score: 7.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score: 7.5
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

ASAI Ken reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2018-0645
JVN iPedia JVNDB-2018-000080