Not a developer? Go to MovableType.com

News

Security Update for Movable Type

By Byrne Reese
Posted January 17, 2008, in News.

Cross posted from the "announcement":http://www.movabletype.com/blog/2008/01/movable-type-security-update.html found at the "Official Movable Type News blog":http://www.movabletype.com/blog/: Today we are releasing a mandatory security update for all Movable Type users, to address a potential security issue which has been reported by a third party. A detailed description of the vulnerability can be found later in this post, but to summarize: In affected versions of Movable Type, there are certain circumstances in which a blog template may be rendered dynamically via CGI in an otherwise static publishing context. If you use Movable Type to publish PHP files (or JSP or ASP pages) and have embedded within your Movable Type templates sensitive information (such as database connection information), then that sensitive information could potentially be exposed and viewed publicly. There is no record of a customer having been affected by this vulnerability. Here's the Update Advisor, a simple scorecard to let you evaluate this new release.

Movable Type Update Advisor: Version 4.01a and 3.36

  • Release Type: Security Release. The potential vulnerability has not yet been exploited in the wild.
  • Mandatory? This is a mandatory update for all users of Movable Type.
  • Performance Implications: None.
  • Plugins Affected: None.
  • Templates Affected: No changes in your templates are required.
  • System Requirements: This release has no new or additional system requirements.
  • Licensing considerations: None. MT 4.01a and MT 3.36 are free updates for users of any version of MT 4 or 3.3.
  • Upgrade Fatigue: No planned updates are scheduled until the release of MT4.1, which is currently in beta. There will be no further releases before MT 4.1 unless significant security issues are found which require a 4.0x release. It has been 116 days since the last recommended update to MT4 and 273 days since the last recommended update to MT3.

download-mt.gifDownloads are available in your account for current customers or through the download page.
In addition to the updates to Movable Type 4.01a for MT4 users and Movable Type 3.36 for MT3 users, we have issued updates to Movable Type Enterprise and to the Movable Type Community Solution and Enterprise Solution. If you are on one of these platforms, you should be contacted by your account representative about these updates shortly. We also recognize that many Movable Type users are still running version 3.2. If you are running version 3.2, you can download a Comments.pm. Please note that this patch is only intended for use with Movable Type version 3.2. While we routinely perform security evaluations and do regular testing of Movable Type, and strive to make Movable Type as secure and reliable as possible, we sometimes have to release these updates in order to address issues found outside the course of our scheduled testing and release process. We sincerely apologize for the inconvenience of having to update your software.

Detailed Description

When a script is executed on a web server it can only be processed by a single interpreter (e.g. Perl, PHP, Java, etc). In other words, a perl script cannot output PHP code that can then subsequently be processed by the PHP interpreter later in the request chain. Scripts should therefore only output content intended for a browser. In Movable Type this may pose a problem when the Individual Entry Archive template is used to output static PHP (or JSP, ASP, etc) files to the file system. In the event that these templates are processed dynamically and displayed via a CGI then the server side code that they contain will become visible to the outside world. This can only occur when the Individual Archive Template is used to display comments dynamically. There is an additional script in use by a very small number of users called mt-view.cgi which exhibits a similar behavior. Generally speaking, this in and of itself may not pose a security threat, unless of course your templates output sensitive information intended to be processed by the server only, such as a database connection information or other sensitive information.

Versions Affected

All versions of Movable Type released since 3.2 (inclusive) are affected by this vulnerability.

Applying the Fix

* Users of Movable Type 4.01 can install the updated Movable Type 4.01a. * Users of Movable Type 3.3x can install the updated Movable Type 3.36. * Users of Movable Type 3.2 can replace Comments.pm (found in /path/to/mt/lib/MT/App/) with a patched version of Comments.pm. In addition, users of all versions of Movable Type are encouraged to remove the script entitled mt-view.cgi. Learn more about Upgrading Movable Type 4 or Upgrading Movable Type 3 in the MT documentation.
Back

11 Comments

Daniel Stout

Daniel Stout on January 17, 2008, 5:41 p.m. Reply

Byrne writes: In addition, users of all versions of Movable Type are encouraged to remove the script entitled mt-view.cgi.

Could you explain that a little more, Byrne? What functionality is lost if that file is deleted? Also, if you’re encouraging people to delete it, why is it included in the 4.01a version?

Thanks for your time.

Daniel Stout

Daniel Stout on January 17, 2008, 5:59 p.m. Reply

I still use — and like — the static publishing model, so mt-view.cgi is of little use to me. Thanks for satisfying my curiosity!

saj.thecommune.net

saj.thecommune.net on January 18, 2008, 8:07 a.m. Reply

When a script is executed on a web server it can only be processed by a single interpreter (e.g. Perl, PHP, Java, etc). In other words, a perl script cannot output PHP code that can then subsequently be processed by the PHP interpreter later in the request chain.

Oh, sure they can. At least with Apache 2 anyway:

Apache modules may now be written as filters which act on the stream of content as it is delivered to or from the server. This allows, for example, the output of CGI scripts to be parsed for Server Side Include directives using the INCLUDES filter in mod_include. The module mod_ext_filter allows external programs to act as filters in much the same way that CGI programs can act as handlers.

Ok, so this is really not the point of the Security Notice but it just struck me as an odd thing to say.

saj.thecommune.net

saj.thecommune.net on January 18, 2008, 11:28 a.m. Reply

Based on my brief Googling, it sounds like Filter support in modphp may have never moved passed the experimental stage. You have to compile PHP using —with-apxs2filter. You might be able to use modext_filter to pass it through the PHP CLI.

Besides, nobody actually uses mod_php anymore, right? ;-)

Niall Kennedy

Niall Kennedy on June 20, 2008, 3:10 p.m. Reply

This MT.org post leads MTOS users to Six Apart’s derivative bundle products. I realize this is a result of quick cross-posting, but the post on MT.org should be adjusted to reflect the separate parent product.

There is no MTOS v3. Six Apart has a Movable Type product with 3.x versioning, but MTOS is based on code submission from December 2007 onwards.

“Downloads are available in your account for current customers or through the download page.”

There is no “your account” in an MT.org download management context. The download page link takes MT.org visitors to Six Apart’s bundle page. Proper link: http://movabletype.org/download.html

“It has been 152 days since the last recommended update to MT4.”

Proper link is the MT.org post. http://www.movabletype.org/2008/01/securityvulnerabilityannounc.html

“we have issued updates to Movable Type Enterprise and to the Movable Type Community Solution and Enterprise Solution”

Doesn’t apply in an MTOS context. “We” could be changed to “Six Apart” or the phrase removed.

Byrne Reese

Byrne Reese on June 20, 2008, 3:59 p.m. Reply

@Niall - thank you so much for this feedback. You are right, this was cross-posted quickly and I have followed some of your suggestions regarding linking to MTOS downloads over commercial builds. However, I left mention of Community and Enterprise software because MT.org is not an exclusive home for our open source product, but a home for the MT community at large. And just because people pay, I wouldn’t want to exclude them - especially for something as important as security - where we need to be as clear and as explicit as possible in our communications.

kallie

kallie on September 4, 2012, 5:29 a.m. Reply

Is there any problem with the security of Moveable type?

Andrew Gordon

Andrew Gordon on October 26, 2012, 11:29 p.m. Reply

For all these who don’t know it is quite normal to have such problems when you work with beta versions. At least, this is why they are beta - to find all bugs and security threats which to be solved before the official release :)

Liam Stefanson

Liam Stefanson on November 15, 2012, 1:29 a.m. Reply

Does it mean that this is not a bug problem, but it is a potential hacker attack to the site? What can the hacker do to my blog? He or she can’t steal data or something like this, because my blog is for betting? There are no bank or money related data!

Andrew Heaton

Andrew Heaton on November 28, 2012, 9:33 p.m. Reply

Is the script entitled mt-view.cgi could be found on the later versions of Movable Type or it has been removed after you found this vulnerability? Should we remove it manually or the fact we are with fifth versions of MT have solved the problem?

Ivan Petroff

Ivan Petroff on December 22, 2012, 1:25 a.m. Reply

Why should I remove mt-view.cgi file? I know it is an experimental file, but I use it quite good for creating dynamically-generated individual archive pages for my personal blog. Is there any danger for my site if I stick to that file?

Leave a Comment

Byrne Reese

Byrne Reese was previously the Product Manager of Movable Type at Six Apart, where he had also held positions as the Manager of Platform Technology and Product Manager for TypePad. Byrne is a huge supporter of the Movable Type user and developer community. He dedicates much of his time to promoting and educating people about Movable Type as well as building the tools and plugins for Movable Type that are showcased on Majordojo. He contributes regularly to open source; and he is an advocate for open protocols and standards like Atom and OpenID.

Website: http://profile.typekey.com/byrnereese