Upgrading to Movable Type 6.0.3, 5.2.10 and 5.17
Movable Type 6.0.3, 5.2.10, and 5.17 are being released as mandatory security updates. These updates resolve a security-related issue discovered in Movable Type 6.0.2, 5.2.9, and 5.161. Movable Type 6.0.3 also includes several bug fixes.
Cross site scripting (XSS) was possible due to improper escaping of certain entry editing screen fields and comment input fields.
This security issue affects 6.0.2, 5.2.9 and 5.161, as well as the following related products:
- Movable Type 6.x (packaged with Professional Pack or Community Pack)
- Movable Type Advanced 6.x
- Movable Type 5.x (packaged with Professional Pack or Community Pack)
- Movable Type Advanced 5.x
- Movable Type Open Source 5.x
We recommend upgrading to one of the following versions, depending on which version you were previously using.
- Movable Type 6.0.3 (packaged with Professional Pack or Community Pack)
- Movable Type Advanced 6.0.3
- Movable Type 5.2.10 (packaged with Professional Pack or Community Pack)
- Movable Type Advanced 5.2.10
- Movable Type Open Source 5.2.10
- Movable Type 5.17 (packaged with Professional Pack or Community Pack)
- Movable Type Advanced 5.17
- Movable Type Open Source 5.17
Movable Type license holders, including personal free license and developer license: Six Apart User Site
MTOS (open source) version:
Once the package is downloaded, go through the upgrade process by following the steps outlined in the Upgrade Guide for Movable Type.
After previewing an entry or page that contains image custom fields and then returning to edit the entry or page, the image data becomes corrupted. A patch for this issue was subsequently released May 8, 2014. Please download the version that corresponds to your version of Movable Type:
Install the patch by extracting the archive contents on top of the Movable Type installation folder, resulting in
addons/Commercial.pack/lib/CustomFields/Util.pm getting replaced with the patched version.
Note this issue only affects Movable Type versions 6.0.3, 5.2.10 and 5.17. It does not affect versions 6.0.2, 5.2.9, 5.16 and prior versions.
Some template changes to certain website and blog themes were necessary in Movable Type 6.0.3, 5.2.10 and 5.17. If you use any of the themes listed below, you will need to either refresh the template or modify the template manually.
- Classic Blog
- Classic Website
- Community Blog
- Community Forum
- Professional Blog
- Professional Website
Steps for Manual Revision
- Select Design > Templates from the side menu.
- From the System Templates listing, select Comment Completion.
Search for the
<$mt:ErrorMessage$>tag, located in the template around line 9, and add
<mt:SetVarBlock name="message"><p class="message error">The comment could not be posted. Error: <$mt:ErrorMessage$></p></mt:SetVarBlock>
<mt:SetVarBlock name="message"><p class="message error">The comment could not be posted. Error: <$mt:ErrorMessage encode_html=”1”$></p></mt:SetVarBlock>
To Theme Developers
Please refer to the directions listed above and revise all theme templates accordingly.
The 6.0.3, 5.2.10, and 5.17 Release Notes offer more information on changes and bug fixes made in Movable Type 6.0.3.