We are releasing Movable Type 6.0.7 and 5.2.12 as mandatory security updates. These updates resolved security-related issue discovered in all previous versions of Movable Type 6 and Movable Type 5. We strongly recommend upgrading to a modified version.
Details of the security updates
In previous versions, including the Movable Type 6.0.6 and 5.2.11 are susceptible to LFI (local file inclusion) attacks due to the vulnerability of Storable perl module. It allows an attacker to include a file and run any perl script the web server.
AFFECTED VERSIONS OF MOVABLE TYPE
- Movable Type Pro 6.0.x
- Movable Type Pro 5.2.x
- Movable Type Open Source (MTOS) 5.2.x
- Movable Type Advanced 6.0.x, 5.2.x
STEPS REQUIRED TO CLOSE THE SECURITY VULNERABILITIES
Please upgrade to the latest versions of Movable Type:
- Movable Type Pro 6.0.7
- Movable Type Pro 5.2.12
- Movable Type Open Source 5.2.12
- Movable Type Advanced 6.0.7
- Movable Type Advanced 5.2.12
VERSIONS THAT ARE NOT AFFECTED
- Movable Type Pro 6.1
- Movable Type Advanced 6.1
Movable Type 6.1 is already solved this issue.
Movable Type 5.0x and 5.1x has reached End of Life and is no longer supported. For users that are running any version of 5.0x and 5.1x, please upgrade to Movable Type 5.2.12, which is available at no additional charge to paid licensees of Movable Type 5 or users of Movable Type Open Source.
AVAILABILITY OF UPDATED VERSIONS OF MOVABLE TYPE
Movable Type Pro / Advanced 6.0.6, Movable Type Pro, Advanced, and Enterprise 5.2.9 are available through the Movable Type Software Repository Server. That server is located at https://mtuser.sixapart.jp/en/.
Movable Type Open Source 5.2.12 are available on download site.