JVNDB-2015-000067

[Japanese]
JVNDB-2015-000067
mt-phpincgi vulnerable to PHP object injection
Overview
mt-phpincgi is script that runs Movable Type templates as PHP. mt-phpincgi contains a PHP object Injection vulnerability. According to the reporter, attacks that attempt to exploit this vulnerability have been confirmed.
CVSS Severity (What is CVSS?)
CVSS V2 Severity: Base Metrics 7.5 (High) [IPA Score] Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
Affected Products

Ichi Fujimoto mt-phpincgi
This vulnerability has been addressed in mt-phpincgi.php security update (in Japanese) released on 2015/05/15.
Impact
Arbitrary PHP code may be executed on the server by an unauthenticated attacker.
Solution
[Apply the update] The developer has released an update at mt-phpincgi.php security update. Apply the update according to the information provided by the developer.
Vendor Information
Ichi Fujimoto The blog of H.Fujimoto : Hajime Fujimoto website (in Japanese) The blog of H.Fujimoto : mt-phpincgi.php security update (in Japanese)
CWE (What is CWE?)
Code Injection(CWE-94) [IPA Evaluation]
CVE (What is CVE?)
CVE-2015-2945
References
JVN : JVN#64459670 National Vulnerability Database (NVD) : CVE-2015-2945 IPA SECURITY ALERTS : Security Alert for Vulnerability in mt-phpincgi (JVN#64459670) (in Japanese)
Revision History
[2015/05/20] Web page was published [2015/05/25] Solution was modified [2015/05/28] References : Content was added


Date Public	2015/05/20
Date First Published	2015/05/20
Date Last Updated	2015/05/28

mt-phpincgi vulnerable to PHP object injection