[原文]Six Apart Movable Type 3.16 allows local users with blog-creation privileges to create or overwrite arbitrary files of certain types (such as HTML and image files) by selecting an arbitrary directory as a blog's top-level directory. NOTE: this issue can be used in conjunction with CVE-2005-3102 to create or overwrite arbitrary files of all types.
Tim Brown is credited with the discovery of this vulnerability.
Movable Type Movable Type 3.17
Movable Type Movable Type 3.16
Movable Type Movable Type 3.2
Movable Type Movable Type 2.63
Movable Type Movable Type 2.0
Movable Type is prone to a vulnerability that allows attackers to create files outside of the Movable Type directory path. This issue occurs because the application fails to properly sanitize user-supplied input.
Note that this vulnerability can occur only when a validated user has sufficient permissions to create blog entries.
No exploit is required.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:firstname.lastname@example.org.