[Description] MT (Movable Type) is a Blog software. MT has a XSS filter to remove scripts from user inputs, but there are ways to evade the filter using malformed input. [Affected] Movable Type <= 3.33 [Exploit] By the default, Blog readers are allowed to post comments containing html tags. Attackers may post malformed comments as below. 1. NULL byte in number entitiy reference. <A href="javascript[0x00]8;alert();">link</A> 2. Unfinished tag in the tail of comment. <P><BR style="xss:expression(alert())" MT's filter fails to sanitize these comments. Scripts in these comments may run in certain browsers (maybe in IE ONLY). [Impact] - Cookies theft. - Web pages defacing. [Solution] Upgrade MT to the newest version. Six Apart fixed these problems in v3.34. [Links] http://www.sixapart.com/movabletype/beta/distros/MT-3.34-beta-Release-Notes.html See #46226. ---- teracci2002@xxxxxxxxxxx
