Apr 17 2007

Announcing Movable Type 3.35

« Previous | News Blog | Next » By Byrne Reese

Late last week we released Movable Type 3.35 and Movable Type Enterprise 1.53. The impetus for this release was a XSS vulnerability that was found in our comment preview code. The vulnerability affects only a small number of people, but we felt it important to address the issue as soon as we could. And since we were turning on the release machines we went ahead and tackled a couple of other bug fixes and introduced a new feature as well.

The new feature is a dramatically improved installation process. Now, when new users install Movable Type and access it for the first time, the Movable Type Setup Wizard will help them configure the platform on their web server. It asks them a few questions and then takes care of the rest. It makes installing Movable Type downright tolerable!

Coincidentally, we recently made big changes to how you download Movable Type as well. Now users seeking the personal and free edition of Movable Type no longer have to hunt for the link, or create an account in TypeKey to download the software. Just click the big button that says "Download Movable Type."

These two recent changes are relatively minor from a technical stand point, but we think they will have a huge impact for new users and people seeking an upgrade - because when combined they have made Movable Type easier to download and install then ever before.

But alas, back the security vulnerability. The vulnerability affects only those users using Internet Explorer 6.0 who have logged in via TypeKey to preview a comment they wish to publish. The vulnerability would allow malicious individuals to hijack these users TypeKey sessions. Practically speaking, this affects only a small handful of users, but we felt it was an important update nonetheless.

Since the bug is found within the default templates for a published blog, the fix must be applied manually to your existing blogs. The steps below detail the few simple steps you can follow to apply to fix across all the blogs in your system.

Instructions to Fix the Security Vulnerability Manually

  1. Login to Movable Type
  2. From the System Overview, click "Search and Replace" located in the right hand navigation menu.
  3. From the search screen, click on the "Templates" tab.
  4. Conduct a search for <$MTCommentPreviewAuthor$>
  5. From the search results page, select the "Search and Replace" radio button
  6. In the "Replace:" text field enter the following: <$MTCommentPreviewAuthor encode_html="1"$>
  7. Select all the templates displayed in the search results by clicking the checkbox next to each one.
  8. Click the "Replace Checked" button.
  9. Repeat steps 4-8 replacing <$MTCommentPreviewEmail$> with <$MTCommentPreviewEmail encode_html="1"$>
  10. Repeat steps 4-8 replacing <$MTCommentPreviewURL$> with <$MTCommentPreviewURL encode_html="1"$>

PS. I feel we should also apologize for the delay in the release announcement. Six Apart is a bit crazy right now with the Web 2.0 Expo going on.