Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Plugin Spotlight: Movable Type mt-check.cgi Information Disclosure

Severity Is Multi-Dimensional

Vulnerability scanning tools, such as Nessus, can produce reports and assign discovered vulnerabilities a severity rating. The problem I always had with these reports was in evaluating these ratings. Like many other administrators, I found that vulnerabilities with “high” severity ratings always caught my attention first. Sometimes it would take a week’s worth of effort to evaluate and remediate the high- severity vulnerabilities. Although I knew that I should also investigate the low or medium severity level alerts, I never seemed to have time. These were most often given a low priority when it came time to assign tasks and would most often end up going months, years or never getting fixed at all unless a security incident occurred that involved one of the low-severity vulnerabilities. This is a problem that many organizations face, and the following particular Movable Type vulnerability is a great example that I hope underscores the point that “lower severity rating” does not mean "forget about them and never fix them". I recommend that organizations take a multi-dimensional approach to vulnerability remediation and take into account not only the overall severity, but also the level of effort to fix the problem. For the Movable Type vulnerability in question, the severity level is relatively low (for example, it’s not remotely exploitable to gain shell), but the remediation is simple: remove the file from the web server (which has no impact on the operation of the web application.)

Movable Type "mt-check.cgi"

Movable Type is a popular blogging and content management platform that powers Typepad, a web service that allows people to sign up and create their own blogs. It is written in Perl, and has had some vulnerabilities in the past. Movable Type contains a script called "mt-check.cgi" that is documented as follows:

This stand-alone script checks for all the required and optional Perl modules and reports on the status of each.

Viewing the mt-check.cgi script is the easiest way to check the details of the server environment to determine if the prerequisite libraries/modules are present so that Movable Type can be installed.

While the Movable Type documentation explains the purpose of the script, it does not recommend that users disable or remove this script post-installation. A little Google research shows that this has led to a large number of sites that contain this script. My own "Google Dorking" reveals approximately 280,000 web sites that have not removed mt-check.cgi.

Reference: http://www.movabletype.org/documentation/installation/mt-check.html

If mt-check.cgi is left in place after a Movable Type installation, it provides the attacker with a wide variety of useful information (more documentation can be found in OSVDB 60492). I will leave it to your own "Google Hacking" skills to get an idea of how widespread this problem is.

Information Disclosure

The Movable Type script "mt-check.cgi" reveals the following pieces of information:

System Information Section

The top portion of the page displays the Movable Type version number, the directory the mt-check.cgi script is running from (working directory) and the MT home directory. This information can be used to find vulnerabilities associated with this version of Movable Type, perhaps by using a vulnerability database such as the OSVDB and its powerful search engine. Initially, the directory information may not seem like a big concern, but if there are remote file inclusion, local file inclusion or file upload vulnerabilities present, this information is key to a successful attack. The attacker must know where to copy files or find directories that are writable by the web server or database server. The operating system is also a key element, as the syntax for some of the web application attacks previously mentioned will change based on platform. The Perl version is also displayed; an older version of Perl could contain vulnerabilities that could be exploited by an attacker.

Web Server Information

Even if a system administrator has disabled the Apache banner (e.g., setting "ServerTokens" to "Prod" in the Apache configuration file), the mt-check.cgi script will reveal this information. The banner reveals not only the versions of all software currently in use, but also that the PHP installation is being protected with the Suhosin patch, which adds a significant level of security to any PHP applications installed on the web server. Armed with this information, an attacker can then construct the web application attacks in such a way as to evade web application firewalls, such as HTTP response splitting or specific attacks against Suhosin.

Sampling Of Information Provided About Perl Modules

Information about MT modules and associated versions of Perl modules are also helpful to attackers. For example, vulnerabilities have been disclosed about the DBI library , just as vulnerabilities could exist for other software on the system. Nessus plugin 42842, Movable Type mt-check.cgi System Information Disclosure detects this vulnerability. Be certain to click the checkbox labeled "Enable CGI scanning" in the preferences table of your policy to detect these vulnerabilities:

Enable CGI Scanning (Click image above for larger version)


Detecting this vulnerability is fairly straight forward. For example, below is an Apache log file sample of an attacker accessing the mt-check.cgi application: - - [17/Nov/2009:21:51:04 +0000] "GET /movabletype/mt-static//images/icon_success.png HTTP/1.1" 200 795 "" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-us) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9"

There are several different ways to detect the activity shown above. A network intrusion detection system or passive vulnerability scanner (such as Tenable’s Passive Vulnerability Scanner) could be used to find it on the network. Monitoring the logs on the Apache servers will also reveal that this page exists and was accessed by attackers. Tenable’s LCE (Log Correlation Engine) can be used to monitor for this attack and alert accordingly, and even correlation between other systems and log sources.


Low-priority vulnerabilities will often provide attackers with information that could lead to more reliable exploitation of other vulnerabilities. Remediating lower severity vulnerabilities needs to be a part of your vulnerability management strategy. Make sure the removal of the mt-check.cgi script in Movable Type is in your system hardening guides, along with other configuration checking such as the OWASP Top Ten List and Apache Hardening Guidelines from the Center For Internet Security.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.