Upgrading to Movable Type 6.0.3, 5.2.10 and 5.17

Movable Type 6.0.3, 5.2.10, and 5.17 are being released as mandatory security updates. These updates resolve a security-related issue discovered in Movable Type 6.0.2, 5.2.9, and 5.161. Movable Type 6.0.3 also includes several bug fixes.

Security update overview

Cross site scripting (XSS) was possible due to improper escaping of certain entry editing screen fields and comment input fields.

Affected versions

This security issue affects 6.0.2, 5.2.9 and 5.161, as well as the following related products:

• Movable Type 6.x (packaged with Professional Pack or Community Pack)
• Movable Type Advanced 6.x
• Movable Type 5.x (packaged with Professional Pack or Community Pack)
• Movable Type Advanced 5.x
• Movable Type Open Source 5.x

Updated versions

We recommend upgrading to one of the following versions, depending on which version you were previously using.

• Movable Type 6.0.3 (packaged with Professional Pack or Community Pack)
• Movable Type Advanced 6.0.3
• Movable Type 5.2.10 (packaged with Professional Pack or Community Pack)
• Movable Type Advanced 5.2.10
• Movable Type Open Source 5.2.10
• Movable Type 5.17 (packaged with Professional Pack or Community Pack)
• Movable Type Advanced 5.17
• Movable Type Open Source 5.17

Download Links

Movable Type license holders, including personal free license and developer license: Six Apart User Site

MTOS (open source) version:

• MTOS-5.17-en.zip
• MTOS-5.2.10.zip

Upgrading

Once the package is downloaded, go through the upgrade process by following the steps outlined in the Upgrade Guide for Movable Type.

Required Steps After Upgrading

Custom field patch must be applied after upgrade

After previewing an entry or page that contains image custom fields and then returning to edit the entry or page, the image data becomes corrupted. A patch for this issue was subsequently released May 8, 2014. Please download the version that corresponds to your version of Movable Type:

• 6.0.3: MT-6.0.3-cf-preview.zip
• 5.2.10: MT-5.2.10-cf-preview.zip
• 5.17: MT-5.17-cf-preview.zip

Install the patch by extracting the archive contents on top of the Movable Type installation folder, resulting in addons/Commercial.pack/lib/CustomFields/Util.pm getting replaced with the patched version.

Note this issue only affects Movable Type versions 6.0.3, 5.2.10 and 5.17. It does not affect versions 6.0.2, 5.2.9, 5.16 and prior versions.

Template changes

Some template changes to certain website and blog themes were necessary in Movable Type 6.0.3, 5.2.10 and 5.17. If you use any of the themes listed below, you will need to either refresh the template or modify the template manually.

Affected Themes

• Classic Blog
• Classic Website
• Community Blog
• Community Forum
• Eiger
• Pico
• Professional Blog
• Professional Website
• Rainier

Steps for Manual Revision

1. Select Design > Templates from the side menu.
2. From the System Templates listing, select Comment Completion.

3. Search for the <$mt:ErrorMessage$> tag, located in the template around line 9, and add encode_html="1"

   Pre-Revision

   <mt:SetVarBlock name="message"><p class="message error">The comment could not be posted. Error: <$mt:ErrorMessage$></p></mt:SetVarBlock>
   

   Post-Revision

   <mt:SetVarBlock name="message"><p class="message error">The comment could not be posted. Error: <$mt:ErrorMessage encode_html=”1”$></p></mt:SetVarBlock>
   

4. Save changes.

To Theme Developers

Please refer to the directions listed above and revise all theme templates accordingly.

Movable Type 6.0.3 Changes and Bug Fixes

The 6.0.3, 5.2.10, and 5.17 Release Notes offer more information on changes and bug fixes made in Movable Type 6.0.3.