Upgrading to Movable Type 6.0.3, 5.2.10 and 5.17
Movable Type 6.0.3, 5.2.10, and 5.17 are being released as mandatory security updates. These updates resolve a security-related issue discovered in Movable Type 6.0.2, 5.2.9, and 5.161. Movable Type 6.0.3 also includes several bug fixes.
Security update overview
Cross site scripting (XSS) was possible due to improper escaping of certain entry editing screen fields and comment input fields.
Affected versions
This security issue affects 6.0.2, 5.2.9 and 5.161, as well as the following related products:
- Movable Type 6.x (packaged with Professional Pack or Community Pack)
- Movable Type Advanced 6.x
- Movable Type 5.x (packaged with Professional Pack or Community Pack)
- Movable Type Advanced 5.x
- Movable Type Open Source 5.x
Updated versions
We recommend upgrading to one of the following versions, depending on which version you were previously using.
- Movable Type 6.0.3 (packaged with Professional Pack or Community Pack)
- Movable Type Advanced 6.0.3
- Movable Type 5.2.10 (packaged with Professional Pack or Community Pack)
- Movable Type Advanced 5.2.10
- Movable Type Open Source 5.2.10
- Movable Type 5.17 (packaged with Professional Pack or Community Pack)
- Movable Type Advanced 5.17
- Movable Type Open Source 5.17
Download Links
Movable Type license holders, including personal free license and developer license: Six Apart User Site
MTOS (open source) version:
Upgrading
Once the package is downloaded, go through the upgrade process by following the steps outlined in the Upgrade Guide for Movable Type.
Required Steps After Upgrading
Custom field patch must be applied after upgrade
After previewing an entry or page that contains image custom fields and then returning to edit the entry or page, the image data becomes corrupted. A patch for this issue was subsequently released May 8, 2014. Please download the version that corresponds to your version of Movable Type:
- 6.0.3: MT-6.0.3-cf-preview.zip
- 5.2.10: MT-5.2.10-cf-preview.zip
- 5.17: MT-5.17-cf-preview.zip
Install the patch by extracting the archive contents on top of the Movable Type installation folder, resulting in addons/Commercial.pack/lib/CustomFields/Util.pm
getting replaced with the patched version.
Note this issue only affects Movable Type versions 6.0.3, 5.2.10 and 5.17. It does not affect versions 6.0.2, 5.2.9, 5.16 and prior versions.
Template changes
Some template changes to certain website and blog themes were necessary in Movable Type 6.0.3, 5.2.10 and 5.17. If you use any of the themes listed below, you will need to either refresh the template or modify the template manually.
Affected Themes
- Classic Blog
- Classic Website
- Community Blog
- Community Forum
- Eiger
- Pico
- Professional Blog
- Professional Website
- Rainier
Steps for Manual Revision
- Select Design > Templates from the side menu.
- From the System Templates listing, select Comment Completion.
Search for the
<$mt:ErrorMessage$>
tag, located in the template around line 9, and addencode_html="1"
Pre-Revision
<mt:SetVarBlock name="message"><p class="message error">The comment could not be posted. Error: <$mt:ErrorMessage$></p></mt:SetVarBlock>
Post-Revision
<mt:SetVarBlock name="message"><p class="message error">The comment could not be posted. Error: <$mt:ErrorMessage encode_html=”1”$></p></mt:SetVarBlock>
Save changes.
To Theme Developers
Please refer to the directions listed above and revise all theme templates accordingly.
Movable Type 6.0.3 Changes and Bug Fixes
The 6.0.3, 5.2.10, and 5.17 Release Notes offer more information on changes and bug fixes made in Movable Type 6.0.3.
Jack Lail on April 21, 2014, 4:02 p.m. Reply
How do you get to the English version of the user site? The one in this post goes to the Japanese version.
Charlie Gorichanaz on April 21, 2014, 10:58 p.m. Reply
Hi Jack, thank you for pointing this out! I replaced the link to the Japanese default site with the English one.
Jack Lail on April 22, 2014, 8:37 a.m. Reply
Awesome! Thank you.