Not a developer? Go to


Movable Type 5.13, 5.07, and 4.38 Release Notes

This version of Movable Type was released February 21, 2012.

Movable Type 5.13, 5.07, and 4.38 were released as mandatory security updates. These updates resolve multiple vulnerabilities discovered in Movable Type 5.x and Movable Type 4.x. The vulnerabilities were found as a result of our internal security audit, except the one reported from Trustwave (TWSL2012-003). All users must upgrade to this latest release immediately.


5.13, 5.07, and 4.38 address the multiple vulnerabilities including:

  • OS Command Injection exists in the file management system, the most serious of which may lead to arbitrary OS command execution by a user who has a permission to sign-in to the admin script and also has a permission to upload files.
  • Session Hijack and CSRF exist in the commenting and the community script. A remote attacker could hijack the user session or could execute arbitrary script code on victim’s browser under the certain circumstances.
  • XSS exists in templates where the variables are not escaped properly. A remote attacker could inject client-side script into web pages viewed by other users.
  • XSS exists in mt-wizard.cgi. This vulnerability was reported by Trustwave (TWSL2012-003)


Please upgrade to the latest versions of Movable Type 4 or Movable Type 5.

  • Movable Type Open Source 4.38
  • Movable Type Open Source 5.07
  • Movable Type Open Source 5.13

  • Movable Type 4.38( with Professional Pack, Community Pack)
  • Movable Type 5.07( with Professional Pack, Community Pack)
  • Movable Type 5.13( with Professional Pack, Community Pack)
  • Movable Type Enterprise 4.38
  • Movable Type Advanced 5.13

Upgrading to Movable Type 5.13, 5.07, or 4.38

You can download the latest packages from these sites.

Firstly, follow the instructions found in Movable Type’s upgrade guide to upgrade your Movable Type installation.

Refresh Templates

As a result of security fixes in Movable Type 5.13, 5.06 and 4.38, some of the global templates and JavaScript template in each blog were updated. You need to refresh those templates to comment or to use Community features once you upgrade to Movable Type 5.13, 5.07, 4.38, or later version. Please refer to the following documentation.

Here are the details of template changes.

Changes in Movable Type 5.13, 5.07, and 4.38

You can see the complete list of fixed bugs at this FogBugz page.

Following changes have been made in Movable Type 5.13, 5.07, and 4.38.

mt:Include file=”XXX” attribute is disabled in default settings

<p>In Movable Type 5.13, 5.07, 4.38, and later versions, <a href="">mt:Include <strong>file="XXX"</strong> attribute</a> was disabled in default settings. This change is to prevent a template designer accessing arbitrary files in the server. You can enable the attribute by specifying <a href="">AllowFileInclude</a> configuration directive.</p>

Added .pm .so .rb .htc in DeniedAssetFileExtensions

<p>Added more file extensions to the default value of <a href="/documentation/appendices/config-directives/deniedassetfileextensions.html">DeniedAssetFileExtensions</a> configuration directive. .pm, .so, .rb .htc were added. If you have already used this configuration directive, please consider adding these extensions.</p>

New features in Movable Type 5.13

Supported Browsers

<p>Movable Type 5.13 supports the following browsers and versions.</p>
  <li>Internet Explorer 9</li>
  <li>Firefox latest</li>
  <li>Safari latest</li>

Security Enhancements

Movable Type 5.13 introduces the following security features.

  • Account and IP Lockout
    Account lockout is a feature to protect your Movable Type account from a password-guessing attack known as a brute force attack or a dictionary attack. Movable Type locks out accounts after defined number of incorrect password attempts.
  • Changing Password Validation Rules
    A system administrator can set password validation policies to let users to use stronger passwords.
  • Stronger Password Encryption

New callback : saveconfigfilter

<p>A new <strong>save_config_filter</strong> callback was added. This callback is triggered before the plugin settings are saved. The plugin developers can use this callback to validate the values in the settings. If the callback returns <strong>true</strong>, the system saves the plugin settings. If the callback returns <strong>false</strong>, the system does not save the settings. Use $app-&gt;error to set the error message.</p>

<pre class="prettyprint"><code class="language-perl">sub save_config_filter($cb, $plugin, $data, $scope)

{ if ($data->{combination} ne ‘777’) { $plugin->error("Sorry, wrong combination"); return 0; } return 1; }

  <li><strong>$cb</strong><br />Callback object.</li>
  <li><strong>$plugin</strong> <br />Plugin object(ID).</li>
  <li><strong>$data</strong> <br />Hashed strings of the plugin settings. The key is the setting name, and the value is the input value.</li>
  <li><strong>$scope</strong><br />Scope of the plugin, system or blog.</li>

end of this page.