Not a developer? Go to MovableType.com

News

Movable Type Security Update for 4.0 and 4.1

By Byrne Reese
Posted June 20, 2008, in Security.

Cross posted from the announcement found at the Official Movable Type News blog:

Today we are releasing Movable Type 4.01b and Movable Type 4.12. These are free mandatory security updates for all Movable Type 4.x users. These updates resolve a vulnerability which has not been exploited, but was reported to us by a third party on June 16. We have addressed the issue with these updates, and are providing new, fully-tested versions for all affected versions of Movable Type in all supported configurations. A detailed description of the vulnerability can be found below, but in short a cross-site scripting (XSS) vulnerability has been found in Movable Type's built-in search feature, which could be exploited by malicious parties to execute javascript without permission.

We have no record of a user having been affected by this vulnerability, and there are no known public exploits. The release candidates of Movable Type 4.2, currently in testing, Movable Type 3.36 and Movable Type Enterprise 1.5 are all unaffected by this issue. Here's the Update Advisor, which summarizes the issues found and provides a guide for updating your installation of Movable Type.

Movable Type Update Advisor: Version 4.01b and 4.12:

  • Release Type: Security Release. The potential vulnerability has not yet been exploited in the wild.
  • Mandatory? This is a mandatory update for all users of Movable Type 4.0 and later.
  • Performance Implications: None.
  • Plugins Affected: None.
  • Templates Affected: No changes in your templates are required.
  • System Requirements: This release has no new or additional system requirements.
  • Licensing considerations: None. MT 4.01b and MT 4.12 are free updates for users of any version of MT 4.
  • Upgrade Fatigue: No planned updates are scheduled until the release of MT4.2, which is currently in the final stages of release. There will be no further releases before MT 4.2 unless significant security issues are found which require additional 4.x releases. It has been 152 days since the last recommended update to MT4.

download-mt.gifDownloads are available in your account for current customers or through the download page for MTOS.


Downloads are available through the channel where you received Movable Type: Paying users can find the update by logging in to your Movable Type account, and users of Movable Type Open Source or the free personal license can get the update from the download page.

In addition to the updates to Movable Type 4.01b and 4.12 for MT4 users, we have issued updates to the Movable Type Community Solution and Enterprise Solution. If you are on one of these platforms, you should have already been contacted by your account representative about these updates.

A Commitment to Security

We take Movable Type's security very seriously, especially as we know many of you choose Movable Type for its security track record. In addition to issuing fixes to affected versions of Movable Type, we have also amended our development and testing processes internally to help better detect these types of vulnerabilities in the future. As InformationWeek just noted, Movable Type has "a fraction of the security incidents of its peers". That means we take this update, and all security concerns extremely seriously out of commitment to you as a Movable Type user, out of our desire to uphold our reputation, and out of responsibility to the entire web to try to ensure technology platforms are as secure as possible.

Detailed Description

When conducting a tag search in Movable Type, the application is not properly escaping the optional IncludeBlogs query string parameter. As a result, one could construct an exploit whereby a user could click on a link that conducts a tag search and unbeknownst to them also execute malicious javascript code embedded by the third party. Malicious javascript code could be used to transmit sensitive information about the user's active session.

Versions Affected

Only the following versions of Movable Type are affected by this issue.

  • Movable Type 4.0, 4.01, 4.01a (Personal and Commercial)
  • Movable Type 4.1 (Open Source, Personal and Commercial)
  • Movable Type Community Solution 1.0, 1.0a
  • Movable Type Community Solution 1.5
  • Movable Type Enterprise Solution 1.0

All other versions of Movable Type, including the 4.2 release candidates, are not affected by this issue.

Applying the Fix

  • Users of Movable Type 4.0, 4.01 and 4.01a can install the updated Movable Type 4.01b, or they can replace the file lib/MT/App/Search.pm file found in their distribution with an updated version.
  • Users of Movable Type 4.1 and 4.1a can install the updated Movable Type 4.12, or they can replace the lib/MT/App/Search.pm file found in their distribution with an updated version.

Learn more about Upgrading Movable Type 4 in the MT documentation.

As always, thank you so much for choosing Movable Type and we sincerely apologize for the inconvenience of having to upgrade your software, and are committed to making such updates as infrequent as possible.

Back

8 Comments

Pete Corbon

Pete Corbon on July 5, 2012, 1:02 a.m. Reply

Just upgraded without a problem and everything seems to be working fine. I’m glad that MT is getting better and better! :)

sms messages

sms messages on July 12, 2012, 3:18 a.m. Reply

I wish to see video clips though as I can be A.D.D and examining content is not my preferred factor to do on the internet. So what I do sometimes is just list the whole factor and study off-line. ramadan sms

sms messages

sms messages on July 12, 2012, 3:22 a.m. Reply

That means we take this update, and all security concerns extremely seriously out of commitment to you as a Movable Type user, out of our desire to uphold our reputation, and out of responsibility to the entire web to try to ensure technology platforms are as secure as possible.

Nadine Banchard

Nadine Banchard on August 4, 2012, 5:08 a.m. Reply

I use MT for about three years and I haven’t had a problem with spam or other similar to this problem.

haseeb

haseeb on August 6, 2012, 7:44 a.m. Reply

See on ainult ajak├╝simus, millal eid wallpapers mobiiliga kaardimaksed populaarseks saavad.

Kenly

Kenly on September 4, 2012, 6:42 a.m. Reply

It would be great if the owners of every platform or CMS react so fast and with so much passion on the comments from the users.

Patrice Spencer

Patrice Spencer on October 27, 2012, 1:02 a.m. Reply

It seems this one had to be a serious problem. It took 4 days to the crew to fix the problem and to send the patch to the users. Glad you have done it without some sites to be harmed.

Ivan Borisoff

Ivan Borisoff on November 14, 2012, 5:50 a.m. Reply

This one was a big threat. I’ve been around for couple of weeks, but I haven’t seen such in Moveable Type’s entries.

Leave a Comment

Byrne Reese

Byrne Reese was previously the Product Manager of Movable Type at Six Apart, where he had also held positions as the Manager of Platform Technology and Product Manager for TypePad. Byrne is a huge supporter of the Movable Type user and developer community. He dedicates much of his time to promoting and educating people about Movable Type as well as building the tools and plugins for Movable Type that are showcased on Majordojo. He contributes regularly to open source; and he is an advocate for open protocols and standards like Atom and OpenID.

Website: http://profile.typekey.com/byrnereese