Movable Type Security Update
Today we are releasing a mandatory security update for all Movable Type users, to address a potential security issue which has been reported by a third party. A detailed description of the vulnerability can be found later in this post, but to summarize: In affected versions of Movable Type, there are certain circumstances in which a blog template may be rendered dynamically via CGI in an otherwise static publishing context. If you use Movable Type to publish PHP files (or JSP or ASP pages) and have embedded within your Movable Type templates sensitive information (such as database connection information), then that sensitive information could potentially be exposed and viewed publicly.
There is no record of a customer having been affected by this vulnerability. Here's the Update Advisor, a simple scorecard to let you evaluate this new release.
Movable Type Update Advisor: Version 4.01a and 3.36
- Release Type: Security Release. The potential vulnerability has not yet been exploited in the wild.
- Mandatory? This is a mandatory update for all users of Movable Type.
- Performance Implications: None.
- Plugins Affected: None.
- Templates Affected: No changes in your templates are required.
- System Requirements: This release has no new or additional system requirements.
- Licensing considerations: None. MT 4.01a and MT 3.36 are free updates for users of any version of MT 4 or 3.3.
- Upgrade Fatigue: No planned updates are scheduled until the release of MT4.1, which is currently in beta. There will be no further releases before MT 4.1 unless significant security issues are found which require a 4.0x release. It has been 116 days since the last recommended update to MT4 and 273 days since the last recommended update to MT3.
Downloads are available in your account for current customers or through the download page.
In addition to the updates to Movable Type 4.01a for MT4 users and Movable Type 3.36 for MT3 users, we have issued updates to Movable Type Enterprise and to the Movable Type Community Solution and Enterprise Solution. If you are on one of these platforms, you should be contacted by your account representative about these updates shortly.
We also recognize that many Movable Type users are still running version 3.2. If you are running version 3.2, you can download a Comments.pm. Please note that this patch is only intended for use with Movable Type version 3.2.
While we routinely perform security evaluations and do regular testing of Movable Type, and strive to make Movable Type as secure and reliable as possible, we sometimes have to release these updates in order to address issues found outside the course of our scheduled testing and release process. We sincerely apologize for the inconvenience of having to update your software.
Detailed Description
When a script is executed on a web server it can only be processed by a single interpreter (e.g. Perl, PHP, Java, etc). In other words, a perl script cannot output PHP code that can then subsequently be processed by the PHP interpreter later in the request chain. Scripts should therefore only output content intended for a browser.
In Movable Type this may pose a problem when the Individual Entry Archive template is used to output static PHP (or JSP, ASP, etc) files to the file system. In the event that these templates are processed dynamically and displayed via a CGI then the server side code that they contain will become visible to the outside world. This can only occur when the Individual Archive Template is used to display comments dynamically.
There is an additional script in use by a very small number of users called mt-view.cgi which exhibits a similar behavior.
Generally speaking, this in and of itself may not pose a security threat, unless of course your templates output sensitive information intended to be processed by the server only, such as a database connection information or other sensitive information.
Versions Affected
All versions of Movable Type released since 3.2 (inclusive) are affected by this vulnerability.
Applying the Fix
- Users of Movable Type 4.01 can install the updated Movable Type 4.01a.
- Users of Movable Type 3.3x can install the updated Movable Type 3.36.
- Users of Movable Type 3.2 can replace Comments.pm (found in /path/to/mt/lib/MT/App/) with a patched version of Comments.pm.
In addition, users of all versions of Movable Type are encouraged to remove the script entitled mt-view.cgi.
Learn more about Upgrading Movable Type 4 or Upgrading Movable Type 3 in the MT documentation.
Categories
MT Newsbox , News1 TrackBacks
Listed below are links to blogs that reference this entry: Movable Type Security Update.
TrackBack URL for this entry: http://www.movabletype.com/cgi-bin/mt4/mt-tb-nospam.cgi/127
Sixapart released Movable Type 4.01a today. It is a Security Update. No matter MT 3.2, MT 3.3x or MT4.01, upgrade is required. For MT4.01, just download the gz package and decompress it. Overwrite the MovableType 4.01 installation is OK. No... Read More
There wouldn't be any easy upgrade instructions would there? As in, which files have the changes so that way instead of uploading the entire package again we can just upload the necessary fixed files.
This is the one thing that has always bothered my about MovableType, no easy upgrade package to download between versions and patches.
I've used MT since version 2.x and, somehow, until now my forms were still in an old style with no "static" hidden field.
My case is most certainly very rare, but it did cause an "Invalid Request" error when posting comments after applying this update.
When asking Six Apart about this I was told that it's necessary to add the following to my comment forms:
Just thought I'd share in case others encounter the same.
Where is the update for 3.36?
@Chris - 3.35 was the last officially released version of Movable Type 3.x. Therefore 3.36 is the upgrade that contains this fix. If you are asking where can you download 3.36, you can download it from your Movable Type Customer Account if you already purchases 3.35 over a year ago. We otherwise no longer sell or make 3.x available - well that is not entirely true, Personal users can get a personal use version of 3.36 from our archives..