Home page logo

bugtraq logo Bugtraq mailing list archives

Re: CSS found in Movable Type
From: Jordan Wiens <jwiens () nersp nerdc ufl edu>
Date: Mon, 12 May 2003 16:25:36 -0400 (EDT)

After taking a bit closer look at it, it appears that this is likely
result of the option:

"Allow HTML in comments?"
(Select Weblog Config / Preferences, scroll towards the bottom)

The default is for that option to be disabled.

Additionally, perusing the mt.cfg file yields the following:

# By default, Movable Type cleans up ("sanitizes") any data submitted by
# visitors to your site. This is done to remove any code (HTML or otherwise)
# that could compromise the security of your site. The sanitization code works
# by only allowing certain HTML tags--any other tags, and all processing
# instructions (PHP, for example) are stripped. The GlobalSanitizeSpec
# setting, then, specifies the tags and attributes that are allowed. The
# default setting is "a href,b,br/,p,strong,em,ul,li,blockquote".
# GlobalSanitizeSpec br/,p

It seems that only by changing those two options could an installation be
vulnerable to javascript cross-site scripting, though I could be wrong.

Jordan Wiens
UF Network Incident Response Team

On Mon, 12 May 2003, Jordan Wiens wrote:

I just tried it on an installed 2.63 MT and was unable to get the XSS to
work.  Tried the javascript samples in Name, email, homepage, and comment
field, all with no success.  MT properly elminated < > tags and left the
&lt; as &lt, not allowing any execution.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]