Not a developer? Go to MovableType.com

Documentation

Movable Type 5.11, 5.051, and 4.361 Release Notes

Movable Type 5.11, 5.051, 4.361 were released as mandatory security updates. These updates resolve multiple vulnerabilities discovered in Movable Type 5.x and Movable Type 4.x. All users must upgrade to the latest release immediately.

The impact of the vulnerabilities

A remote attacker could create, read or modify the contents in the system under certain circumstances.

Versions Affected

  • Movable Type Open Source 4.x
  • Movable Type Open Source 5.x
  • Movable Type 4.x ( with Professional Pack, Community Pack )
  • Movable Type 5.x ( with Professional Pack, Community Pack )
  • Movable Type Enterprise 4.x

Solution

Please upgrade to the latest versions of Movable Type 4 or Movable Type 5.

  • Movable Type Open Source 4.361
  • Movable Type Open Source 5.051
  • Movable Type Open Source 5.11
  • Movable Type 4.361( with Professional Pack, Community Pack)
  • Movable Type 5.051( with Professional Pack, Community Pack)
  • Movable Type 5.11( with Professional Pack, Community Pack)
  • Movable Type Enterprise 4.361
  • Movable Type Advanced 5.11

Download

(What is the difference?)

Installation/upgrade instructions

New configuration directives

  • A new configuration directive DeniedAssetFileExtensions was implemented in Movable Type 5.11, 5.051, and 4.361.
  • A configuration directive AssetFileExtensions was implemented in Movable Type 4.361 ( Movable Type 5.01 and later versions already have this feature ).

These configuration directives are used when a user uploads files to Movable Type. You can specify a comma-separated list of file extensions. The regex syntax is supported.

DeniedAssetFileExtensions is the blacklist. The default value is "ascx,asis,asp,aspx,bat,cfc,cfm,cgi,cmd,com,cpl,dll,exe,htaccess,htm,html, inc,jhtml,js,jsb,jsp,mht,mhtml,msi,php,php2,php3,php4,php5, phps,phtm,phtml,pif,pl,pwml,py,reg,scr,sh,shtm,shtml,vbs,vxd".
Files with these extensions will not be allowed as uploads. If you wish to upload one of these blacklisted files, you must specify your own list by removing the file extensions which you wish to upload.

AssetFileExtensions is the white-list. The default value is set to null. When this configuration directive is specified, Movable Type will accept only files with the specified extensions as uploads. For example, the following list allows users to upload only images and movies. "gif,jpe?g,png,bmp,tiff?,mp3,ogg,aiff,wav,wma,aac,flac,m4a, mov,avi,3gp,asf,mp4,qt,wmv,asx,mpg,flv,mkv,ogm".

When the same file extension is set in DeniedAssetFileExtensions and in AssetFileExtension together, DeniedAssetFileExtension will override AssetFileExtensions, thus a user cannot upload files with the extension.

Other changes

The mt-add-notify.cgi was removed from the packages. If you upgrade your installation by overwriting the existing folders, please remove the cgi file manually.

When the SingleCommunity configuration directive is set to "1", only the system administrator can trust/ban commenters. This is because the trusted commenter can have permissions to all blogs within the Movable Type under the SingleCommunity mode. Please set SingleCommunity to "0", if you wish to trust/ban commenters at the blog level.

You must specify the blog_id parameter when a new user registers to the Movable Type via mt-cp.cgi. This change affects only if you have customized the registration page of the mt-cp.cgi.

Fixed cases

The following issues were fixed in Movable Type 5.11, 5.051, and 4.361.

  • 106228 Permission: Can't locate object method "permission_error" via package "MT::App::CMS"
  • 106241 Wrong method call in the code

The following issues were fixed in Movable Type 5.11 and 5.051.

  • 106229 Permission: Manage Website cannot edit website settings

The following issues were fixed in MT5.11.

  • 106223 Unable to complete new installation: "The time zone is required."
  • 106206 [patch] sort_method modifier does not work with MTSubCategories and other tags
  • 106238 [patch] Time zone is not preserved in the installation wizard when "UTC-0" is selected.
  • 106239 [patch] Time Zone is not validated in General Settings
  • 106240 [patch] Time Zone is not validated in "Create Blog"

Community Contributors

This release included contributions from our community. Thank you very much for all of your help !

Special thanks to Alfasado and other reporters for reporting the security issues.

Back

Leave a Comment