Movable Type 5.13, 5.07, and 4.38 were released as mandatory security updates. These updates resolve multiple vulnerabilities discovered in Movable Type 5.x and Movable Type 4.x. The vulnerabilities were found as a result of our internal security audit, except the one reported from Trustwave (TWSL2012-003). All users must upgrade to this latest release immediately.
5.13, 5.07, and 4.38 address the multiple vulnerabilities including:
- OS Command Injection exists in the file management system, the most serious of which may lead to arbitrary OS command execution by a user who has a permission to sign-in to the admin script and also has a permission to upload files.
- Session Hijack and CSRF exist in the commenting and the community script. A remote attacker could hijack the user session or could execute arbitrary script code on victim's browser under the certain circumstances.
- XSS exists in templates where the variables are not escaped properly. A remote attacker could inject client-side script into web pages viewed by other users.
- XSS exists in mt-wizard.cgi. This vulnerability was reported by Trustwave (TWSL2012-003)
Please upgrade to the latest versions of Movable Type 4 or Movable Type 5.
- Movable Type Open Source 4.38
- Movable Type Open Source 5.07
- Movable Type Open Source 5.13
- Movable Type 4.38( with Professional Pack, Community Pack)
- Movable Type 5.07( with Professional Pack, Community Pack)
- Movable Type 5.13( with Professional Pack, Community Pack)
- Movable Type Enterprise 4.38
- Movable Type Advanced 5.13
Here are the release notes for this release.
Upgrading to Movable Type 5.13, 5.07, or 4.38
You can download the latest packages from these sites ( What is the difference? ).
- Download Movable Type Open Source
- Download Movable Type Pro for Bloggers
- Download Movable Type Pro, Enterprise, and Advanced for registered users
Firstly, follow the instructions found in Movable Type's upgrade guide to upgrade your Movable Type installation.
Here are the details of template changes.
Changes in Movable Type 5.13, 5.07, and 4.38
You can see the complete list of fixed bugs at this FogBugz page.
Following significant changes have been made in Movable Type 5.13, 5.07, and 4.38.
- mt:Include file="XXX" attribute is disabled in default settings
In Movable Type 5.13, 5.07, 4.38, and later versions, mt:Include file="XXX" attribute was disabled in default settings. This change is to prevent a template designer accessing arbitrary files in the server. You can enable the attribute by specifying AllowFileInclude configuration directive.
- Added .pm .so .rb .htc in DeniedAssetFileExtensions
New features in Movable Type 5.13
Movable Type 5.13 supports the following browsers and versions.
- Internet Explorer 9
- Firefox latest
- Safari latest
Movable Type 5.13 introduces the following security features.
- Account and IP Lockout
Account lockout is a feature to protect your Movable Type account from a password-guessing attack known as a brute force attack or a dictionary attack. Movable Type locks out accounts after defined number of incorrect password attempts.
- Changing Password Validation Rules
A system administrator can set password validation policies to let users to use stronger passwords.
- Stronger Password Encryption