Not a developer? Go to MovableType.com

News

Movable Type 5.13, 5.07, and 4.38 Security Updates

By Jun Kaneko
Posted February 21, 2012, in News.

Movable Type 5.13, 5.07, and 4.38 were released as mandatory security updates. These updates resolve multiple vulnerabilities discovered in Movable Type 5.x and Movable Type 4.x. The vulnerabilities were found as a result of our internal security audit, except the one reported from Trustwave (TWSL2012-003). All users must upgrade to this latest release immediately.

Impact

5.13, 5.07, and 4.38 address the multiple vulnerabilities including:

  • OS Command Injection exists in the file management system, the most serious of which may lead to arbitrary OS command execution by a user who has a permission to sign-in to the admin script and also has a permission to upload files.
  • Session Hijack and CSRF exist in the commenting and the community script. A remote attacker could hijack the user session or could execute arbitrary script code on victim's browser under the certain circumstances.
  • XSS exists in templates where the variables are not escaped properly. A remote attacker could inject client-side script into web pages viewed by other users.
  • XSS exists in mt-wizard.cgi. This vulnerability was reported by Trustwave (TWSL2012-003)

Solution

Please upgrade to the latest versions of Movable Type 4 or Movable Type 5.

  • Movable Type Open Source 4.38
  • Movable Type Open Source 5.07
  • Movable Type Open Source 5.13
  • Movable Type 4.38( with Professional Pack, Community Pack)
  • Movable Type 5.07( with Professional Pack, Community Pack)
  • Movable Type 5.13( with Professional Pack, Community Pack)
  • Movable Type Enterprise 4.38
  • Movable Type Advanced 5.13

Here are the release notes for this release.

Upgrading to Movable Type 5.13, 5.07, or 4.38

Download

You can download the latest packages from these sites ( What is the difference? ).

Firstly, follow the instructions found in Movable Type's upgrade guide to upgrade your Movable Type installation.

Refresh Templates

As a result of security fixes in Movable Type 5.13, 5.06 and 4.38, some of the global templates and JavaScript template in each blog were updated. You need to refresh those templates to comment or to use Community features once you upgrade to Movable Type 5.13, 5.07, 4.38, or later version. Please refer to the following documentation.

Here are the details of template changes.

Changes in Movable Type 5.13, 5.07, and 4.38

You can see the complete list of fixed bugs at this FogBugz page.

Following significant changes have been made in Movable Type 5.13, 5.07, and 4.38.

New features in Movable Type 5.13

Supported Browsers

Movable Type 5.13 supports the following browsers and versions.

  • Internet Explorer 9
  • Firefox latest
  • Safari latest

Security Enhancements

Movable Type 5.13 introduces the following security features.

  • Account and IP Lockout
    Account lockout is a feature to protect your Movable Type account from a password-guessing attack known as a brute force attack or a dictionary attack. Movable Type locks out accounts after defined number of incorrect password attempts.
  • Changing Password Validation Rules
    A system administrator can set password validation policies to let users to use stronger passwords.
  • Stronger Password Encryption
Back

24 Comments

umynam

umynam on February 25, 2012, 8:39 a.m. Reply

I love this new version. Great Work

avocat divorce

avocat divorce on February 28, 2012, 7:45 a.m. Reply

Really nice work, good to know that MT is better protected against force attack.

Numéro RIO

Numéro RIO on May 31, 2012, 7:18 a.m. Reply

Thx. Nice work Jun !

genf20 plus review site

genf20 plus review site on June 8, 2012, 12:43 a.m. Reply

Great improvements from the previous versions. I like this new versions very much. lifecell review site

Click here

Click here on July 8, 2012, 7:31 a.m. Reply

I was waiting for these security updates. Thanks. :)

Trade Show Display Booths

Trade Show Display Booths on July 11, 2012, 12:15 a.m. Reply

I am glade to read this, Thank you so much for providing individuals with such a breathtaking opportunity to read from this blog. It is always very enjoyable.

yasirra

yasirra on July 11, 2012, 8:53 p.m. Reply

Last month, I wrote a blog that emerged from a catechism that I aboriginal airish in a LinkedIn altercation appointment for associates of the Medical Device Inventors … mba application essays

jak poderwac dziewczyne

jak poderwac dziewczyne on July 16, 2012, 1:34 p.m. Reply

I agree with you, just updated to the latest version and I’m very happy with the improvements.

Andrew

Andrew on July 19, 2012, 1:48 a.m. Reply

This is little bit very important for the user.And more apparently I was very impressed by this.

khotikali

khotikali on July 20, 2012, 8:51 a.m. Reply

nice article enjoyed while reading it

mira hair oil

mira hair oil on August 13, 2012, 12:23 a.m. Reply

great update,now i finially hear the good new.

Fatty Liver Diet

Fatty Liver Diet on August 13, 2012, 12:45 a.m. Reply

I like open source,i support open source,cheering..

Deer antler velvet

Deer antler velvet on August 29, 2012, 5:02 a.m. Reply

If some one desires to be updated with latest technologies afterward he must be go to see this web page and be up to date everyday.

العاب تلبيس

العاب تلبيس on August 31, 2012, 11:17 a.m. Reply

Greetings! This is my first visit to your blog! We are a collection of volunteers and starting a new project in a community in the same niche. Your blog provided us useful information to work on. You have done a wonderful job!

Annabella

Annabella on September 5, 2012, 3:14 a.m. Reply

Thanks for sharing this information, it really helped me a lot. mallorca yachts

Escort Berlin

Escort Berlin on November 1, 2012, 1:39 a.m. Reply

There are a lot of blogs and articles out there on this topic, but you have captured another side of the subject. This is reliable content thank you for sharing it.

Article Directories

Article Directories on November 6, 2012, 11:31 p.m. Reply

Glad to be a guest of your blog, I seem to be forward to more good articles and I think we all love to thank so many fine articles, blog to share with us.

kieferorthopädie erwachsene

kieferorthopädie erwachsene on November 8, 2012, 12:03 a.m. Reply

Having useful information from your site for quite a few months now. Thank you. These pots are suitable for solid plate, glass/ceramic, radiant ring, halogen and gas stoves.

Buy Cigarettes Online

Buy Cigarettes Online on November 15, 2012, 5:02 a.m. Reply

I am glad to catch idea from your article. It has information I have been searching for a long time. This looks absolutely perfect.

création site web Marrakech

création site web Marrakech on November 16, 2012, 10:05 p.m. Reply

site for quite a few months now. Thank you. These pots are suitable for solid plate, glass/ceramic, radiant ring, halogen and gas stoves.

stairs

stairs on November 22, 2012, 1:40 a.m. Reply

Thank you all gyes for posting a meaningful article which is really related for useful post.

Webdirectory

Webdirectory on December 12, 2012, 2:56 a.m. Reply

Really impressed! Everything is very open and very clear reason of issues. It contains truly news. Your website is very valuable. Thanks for sharing.

dich thuat

dich thuat on December 21, 2012, 11:41 p.m. Reply

Thanks for share. I will download this version now

Logopäde

Logopäde on July 18, 2013, 11:15 p.m. Reply

I was too long on this version, was about time that i updated…