JVNVU#92116866
Keitai Kit for Movable Type vulnerable to OS command injection
Critical
Overview
Keitai Kit for Movable Type contains an OS command injection vulnerability.
Products Affected
- Keitai Kit for Movable Type 1.35 through 1.641
Description
Keitai Kit for Movable Type provided by ideaman's Inc. contains an OS command injection vulnerability (CWE-78).
Attacks in the wild leveraging this vulnerability have been confirmed.
Impact
An arbitrary OS command may be executed on the server where the product is running.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
According to the developer, users of Keitai Kit for Movable Type 1.35 through 1.63 need to rebuild the website and the blog after applying the update.
Apply the Patch
Until an update can be applied, apply the appropriate patch according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| ideaman's Inc. | [Important] Keitai Kit for Movable Type 1.65 released |
References
-
JPCERT/CC Official Blog May 06, 2016
Some coordinated vulnerability disclosures in April 2016
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Other Information
| JPCERT Alert |
JPCERT-AT-2016-0019 Alert on vulnerability in Keitai Kit for Movable Type |
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2016-1204 |
| JVN iPedia |
|