Movable Type 5.13, 5.07, and 4.38 Security Updates

By Jun Kaneko

Movable Type 5.13, 5.07, and 4.38 were released as mandatory security updates. These updates resolve multiple vulnerabilities discovered in Movable Type 5.x and Movable Type 4.x. The vulnerabilities were found as a result of our internal security audit, except the one reported from Trustwave (TWSL2012-002). All users must upgrade to this latest release immediately.

Impact

5.13, 5.07, and 4.38 address the multiple vulnerabilities including:

  • OS Command Injection exists in the file management system, the most serious of which may lead to arbitrary OS command execution by a user who has a permission to sign-in to the admin script and also has a permission to upload files.
  • Session Hijack and CSRF exist in the commenting and the community script. A remote attacker could hijack the user session or could execute arbitrary script code on victim's browser under the certain circumstances.
  • XSS exists in templates where the variables are not escaped properly. A remote attacker could inject client-side script into web pages viewed by other users.
  • XSS exists in mt-wizard.cgi. This vulnerability was reported by Trustwave (Trustwave's SpiderLabs Security Advisory TWSL2012-002)

Solution

Please upgrade to the latest versions of Movable Type 4 or Movable Type 5.

  • Movable Type Open Source 4.38
  • Movable Type Open Source 5.07
  • Movable Type Open Source 5.13
  • Movable Type 4.38( with Professional Pack, Community Pack)
  • Movable Type 5.07( with Professional Pack, Community Pack)
  • Movable Type 5.13( with Professional Pack, Community Pack)
  • Movable Type Enterprise 4.38
  • Movable Type Advanced 5.13

Here are the release notes for this release.

Upgrading to Movable Type 5.13, 5.07, or 4.38

Download

You can download the latest packages from these sites ( What is the difference? ).

Firstly, follow the instructions found in Movable Type's upgrade guide to upgrade your Movable Type installation.

Refresh Templates

As a result of security fixes in Movable Type 5.13, 5.06 and 4.38, some of the global templates and JavaScript template in each blog were updated. You need to refresh those templates to comment or to use Community features once you upgrade to Movable Type 5.13, 5.07, 4.38, or later version. Please refer to the following documentation.

Here are the details of template changes.

Changes in Movable Type 5.13, 5.07, and 4.38

You can see the complete list of fixed bugs at this FogBugz page.

Following significant changes have been made in Movable Type 5.13, 5.07, and 4.38.

New features in Movable Type 5.13

Supported Browsers

Movable Type 5.13 supports the following browsers and versions.

  • Internet Explorer 9
  • Firefox latest
  • Safari latest

Security Enhancements

Movable Type 5.13 introduces the following security features.

  • Account and IP Lockout
    Account lockout is a feature to protect your Movable Type account from a password-guessing attack known as a brute force attack or a dictionary attack. Movable Type locks out accounts after defined number of incorrect password attempts.
  • Changing Password Validation Rules
    A system administrator can set password validation policies to let users to use stronger passwords.
  • Stronger Password Encryption