Not a developer? Go to MovableType.com

News

Movable Type 7 r.5003 (v7.8.2), v6.8.3: Security update

By Daiji Hirata
Posted October 20, 2021, in MT Newsbox.

A critical security issue was found and fixed in XMLRPC API of Movable Type.

For those of you who use Movable Type 4.0 and later, Six Apart strongly recommends that you upgrade to the latest version or execute one of the following workarounds immediately.

detail of the issue

Through the XMLRPC API of MT (mt-xmlrpc.cgi), OS command injection (RCE) could be performed. This issue may occur when mt-xmlrpc.cgi can be executed on the Internet.

Workarounds for those who cannot upgrade the latest version

The one of following steps can be taken to avoid or reduce of the affect of the vulnerability.

  • Remove the execution permission of mt-xmlrpc.cgi
  • Delete the mt-xmlrpc.cgi file
  • Restrict the access to mt-xmlrpc.cgi on the Internet
  • PSGI env: Set RestrictedPSGIApp xmlrpc in mt-config.cgi (6.2 and later) or ‘XMLRPCScript long random characters enough not to guess` (6.1 and earlier)

Since Six Apart has already terminated the support of Movable Type 4.x, 5.x, and 6.0.x-6.3.x, we strongly recommend upgrading to the latest version of Movable Type 7 r.5003 or 6.8.3.

RELEASED VERSIONS

  • Movable Type r.5003 (v7.8.2)
  • Movable Type Advanced r.5003 (v7.8.2)
  • Movable Type AMI (via AWS Marketplace) r.5003 (v7.8.2)
  • Movable Type Advanced AMI (via AWS Marketplace) r.5003 (v7.8.2)
  • Movable Type v6.8.3
  • Movable Type Advanced v6.8.3
  • Movable Type AMI (via AWS Marketplace) v6.8.3
  • Movable Type Advanced AMI (via AWS Marketplace) v6.8.3

Release Notes

Please review the Movable Type release notes to see everything that was added and improved since the version you are currently using.

How to get Movable Type 7 and 6.8

If you have an existing Movable Type 7 or 6.8 license, you can download the latest Movable Type from our download portal using your Six Apart ID.

To purchase a new license or an upgrade, please visit MovableType.com for more information, or feel free to contact us if you have any questions.

Movable Type 6.8 version is subject to LTS (long-term-support) and will have problem fixes and security fixes until 2022. However, In order to use Movable Type 6.5.x/6.6.x/6.7.x/6.8.x, “Pro Unlimited annual license” needs to be renewed every year.

Back