Movable Type 5.13, 5.07, and 4.38 were released as mandatory security updates. These updates resolve multiple vulnerabilities discovered in Movable Type 5.x and Movable Type 4.x. The vulnerabilities were found as a result of our internal security audit, except the one reported from Trustwave (TWSL2012-003). All users must upgrade to this latest release immediately.
Impact
5.13, 5.07, and 4.38 address the multiple vulnerabilities including:
- OS Command Injection exists in the file management system, the most serious of which may lead to arbitrary OS command execution by a user who has a permission to sign-in to the admin script and also has a permission to upload files.
- Session Hijack and CSRF exist in the commenting and the community script. A remote attacker could hijack the user session or could execute arbitrary script code on victim's browser under the certain circumstances.
- XSS exists in templates where the variables are not escaped properly. A remote attacker could inject client-side script into web pages viewed by other users.
- XSS exists in mt-wizard.cgi. This vulnerability was reported by Trustwave (TWSL2012-003)
Solution
Please upgrade to the latest versions of Movable Type 4 or Movable Type 5.
- Movable Type Open Source 4.38
- Movable Type Open Source 5.07
- Movable Type Open Source 5.13
- Movable Type 4.38( with Professional Pack, Community Pack)
- Movable Type 5.07( with Professional Pack, Community Pack)
- Movable Type 5.13( with Professional Pack, Community Pack)
- Movable Type Enterprise 4.38
- Movable Type Advanced 5.13
Here are the release notes for this release.
Upgrading to Movable Type 5.13, 5.07, or 4.38
Download
You can download the latest packages from these sites ( What is the difference? ).
- Download Movable Type Open Source
- Download Movable Type Pro for Bloggers
- Download Movable Type Pro, Enterprise, and Advanced for registered users
Firstly, follow the instructions found in Movable Type's upgrade guide to upgrade your Movable Type installation.
Refresh Templates
As a result of security fixes in Movable Type 5.13, 5.06 and 4.38, some of the global templates and JavaScript template in each blog were updated. You need to refresh those templates to comment or to use Community features once you upgrade to Movable Type 5.13, 5.07, 4.38, or later version. Please refer to the following documentation.
Here are the details of template changes.
Changes in Movable Type 5.13, 5.07, and 4.38
You can see the complete list of fixed bugs at this FogBugz page.
Following significant changes have been made in Movable Type 5.13, 5.07, and 4.38.
- mt:Include file="XXX" attribute is disabled in default settings
In Movable Type 5.13, 5.07, 4.38, and later versions, mt:Include file="XXX" attribute was disabled in default settings. This change is to prevent a template designer accessing arbitrary files in the server. You can enable the attribute by specifying AllowFileInclude configuration directive. - Added .pm .so .rb .htc in DeniedAssetFileExtensions
New features in Movable Type 5.13
Supported Browsers
Movable Type 5.13 supports the following browsers and versions.
- Internet Explorer 9
- Firefox latest
- Safari latest
Security Enhancements
Movable Type 5.13 introduces the following security features.
- Account and IP Lockout
Account lockout is a feature to protect your Movable Type account from a password-guessing attack known as a brute force attack or a dictionary attack. Movable Type locks out accounts after defined number of incorrect password attempts. - Changing Password Validation Rules
A system administrator can set password validation policies to let users to use stronger passwords. - Stronger Password Encryption
umynam on February 25, 2012, 8:39 a.m. Reply
I love this new version. Great Work
avocat divorce on February 28, 2012, 7:45 a.m. Reply
Really nice work, good to know that MT is better protected against force attack.
Numéro RIO on May 31, 2012, 7:18 a.m. Reply
Thx. Nice work Jun !
genf20 plus review site on June 8, 2012, 12:43 a.m. Reply
Great improvements from the previous versions. I like this new versions very much. lifecell review site
Click here on July 8, 2012, 7:31 a.m. Reply
I was waiting for these security updates. Thanks. :)
Trade Show Display Booths on July 11, 2012, 12:15 a.m. Reply
I am glade to read this, Thank you so much for providing individuals with such a breathtaking opportunity to read from this blog. It is always very enjoyable.
yasirra on July 11, 2012, 8:53 p.m. Reply
Last month, I wrote a blog that emerged from a catechism that I aboriginal airish in a LinkedIn altercation appointment for associates of the Medical Device Inventors … mba application essays
jak poderwac dziewczyne on July 16, 2012, 1:34 p.m. Reply
I agree with you, just updated to the latest version and I’m very happy with the improvements.
Andrew on July 19, 2012, 1:48 a.m. Reply
This is little bit very important for the user.And more apparently I was very impressed by this.
khotikali on July 20, 2012, 8:51 a.m. Reply
nice article enjoyed while reading it
mira hair oil on August 13, 2012, 12:23 a.m. Reply
great update,now i finially hear the good new.
Fatty Liver Diet on August 13, 2012, 12:45 a.m. Reply
I like open source,i support open source,cheering..
Deer antler velvet on August 29, 2012, 5:02 a.m. Reply
If some one desires to be updated with latest technologies afterward he must be go to see this web page and be up to date everyday.
العاب تلبيس on August 31, 2012, 11:17 a.m. Reply
Greetings! This is my first visit to your blog! We are a collection of volunteers and starting a new project in a community in the same niche. Your blog provided us useful information to work on. You have done a wonderful job!
Annabella on September 5, 2012, 3:14 a.m. Reply
Thanks for sharing this information, it really helped me a lot. mallorca yachts
Escort Berlin on November 1, 2012, 1:39 a.m. Reply
There are a lot of blogs and articles out there on this topic, but you have captured another side of the subject. This is reliable content thank you for sharing it.
Article Directories on November 6, 2012, 11:31 p.m. Reply
Glad to be a guest of your blog, I seem to be forward to more good articles and I think we all love to thank so many fine articles, blog to share with us.
kieferorthopädie erwachsene on November 8, 2012, 12:03 a.m. Reply
Having useful information from your site for quite a few months now. Thank you. These pots are suitable for solid plate, glass/ceramic, radiant ring, halogen and gas stoves.
Buy Cigarettes Online on November 15, 2012, 5:02 a.m. Reply
I am glad to catch idea from your article. It has information I have been searching for a long time. This looks absolutely perfect.
création site web Marrakech on November 16, 2012, 10:05 p.m. Reply
site for quite a few months now. Thank you. These pots are suitable for solid plate, glass/ceramic, radiant ring, halogen and gas stoves.
stairs on November 22, 2012, 1:40 a.m. Reply
Thank you all gyes for posting a meaningful article which is really related for useful post.
Webdirectory on December 12, 2012, 2:56 a.m. Reply
Really impressed! Everything is very open and very clear reason of issues. It contains truly news. Your website is very valuable. Thanks for sharing.
dich thuat on December 21, 2012, 11:41 p.m. Reply
Thanks for share. I will download this version now
Logopäde on July 18, 2013, 11:15 p.m. Reply
I was too long on this version, was about time that i updated…