Recently in Fixes Category

Today we are releasing Movable Type 4.01b and Movable Type 4.12. These are free mandatory security updates for all Movable Type 4.x users. These updates resolve a vulnerability which has not been exploited, but was reported to us by a third party on June 15 16 (correction). We have addressed the issue with these updates, and are providing new, fully-tested versions for all affected versions of Movable Type in all supported configurations. A detailed description of the vulnerability can be found below, but in short a cross-site scripting (XSS) vulnerability has been found in Movable Type's built-in search feature, which could be exploited by malicious parties to execute javascript without permission.

We have no record of a user having been affected by this vulnerability, and there are no known public exploits. The release candidates of Movable Type 4.2, currently in testing, Movable Type 3.36 and Movable Type Enterprise 1.5 are all unaffected by this issue. Here's the Update Advisor, which summarizes the issues found and provides a guide for updating your installation of Movable Type.

Movable Type Update Advisor: Version 4.01b and 4.12:

• Release Type: Security Release. The potential vulnerability has not yet been exploited in the wild.
• Mandatory? This is a mandatory update for all users of Movable Type 4.0 and later.
• Performance Implications: None.
• Plugins Affected: None.
• Templates Affected: No changes in your templates are required.
• System Requirements: This release has no new or additional system requirements.
  
• Licensing considerations: None. MT 4.01b and MT 4.12 are free updates for users of any version of MT 4.
• Upgrade Fatigue: No planned updates are scheduled until the release of MT4.2, which is currently in the final stages of release. There will be no further releases before MT 4.2 unless significant security issues are found which require additional 4.x releases. It has been 152 days since the last recommended update to MT4.

Downloads are available in your account for current customers or through the download page.

Downloads are available through the channel where you received Movable Type: Paying users can find the update by logging in to your Movable Type account, and users of Movable Type Open Source or the free personal license can get the update from the download page.

In addition to the updates to Movable Type 4.01b and 4.12 for MT4 users, we have issued updates to the Movable Type Community Solution and Enterprise Solution. If you are on one of these platforms, you should have already been contacted by your account representative about these updates.

A Commitment to Security

We take Movable Type's security very seriously, especially as we know many of you choose Movable Type for its security track record. In addition to issuing fixes to affected versions of Movable Type, we have also amended our development and testing processes internally to help better detect these types of vulnerabilities in the future. As InformationWeek just noted, Movable Type has "a fraction of the security incidents of its peers". That means we take this update, and all security concerns extremely seriously out of commitment to you as a Movable Type user, out of our desire to uphold our reputation, and out of responsibility to the entire web to try to ensure technology platforms are as secure as possible.

Detailed Description

When conducting a tag search in Movable Type, the application is not properly escaping the optional IncludeBlogs query string parameter. As a result, one could construct an exploit whereby a user could click on a link that conducts a tag search and unbeknownst to them also execute malicious javascript code embedded by the third party. Malicious javascript code could be used to transmit sensitive information about the user's active session.

Versions Affected

Only the following versions of Movable Type are affected by this issue.

• Movable Type 4.0, 4.01, 4.01a (Personal and Commercial)
• Movable Type 4.1 (Open Source, Personal and Commercial)
• Movable Type Community Solution 1.0, 1.0a
• Movable Type Community Solution 1.5
• Movable Type Enterprise Solution 1.0

All other versions of Movable Type, including the 4.2 release candidates, are not affected by this issue.

Applying the Fix

• Users of Movable Type 4.0, 4.01 and 4.01a can install the updated Movable Type 4.01b, or they can replace the file lib/MT/App/Search.pm file found in their distribution with an updated version.
• Users of Movable Type 4.1 and 4.1a can install the updated Movable Type 4.12, or they can replace the lib/MT/App/Search.pm file found in their distribution with an updated version.

Learn more about Upgrading Movable Type 4 in the MT documentation.

As always, thank you so much for choosing Movable Type and we sincerely apologize for the inconvenience of having to upgrade your software, and are committed to making such updates as infrequent as possible.

All recent versions of Movable Type include a number of plugins for blocking spam, including a set of plugins called SpamLookup. We wanted to update you about a third-party service that’s affected the performance of one of the plugins, along with some easy steps you can take to fix the issue.

Recently, an IP blacklist service known as Blitzed ceased its operations. Movable Type’s SpamLookup plugin uses this service to process incoming comments and TrackBacks to determine if they are spam or not. With Blitzed shut down, a lot of you might be experiencing delays when publishing your readers’ comments.

Though we’re sorry to see Blitzed go (and thank the team for their efforts), the good news is that a free replacement is available. The SpamHaus Project has been in operation for over 9 years and has a long track record of providing excellent protection against known spammers. In addition to their technology that they allow people to use for free, Spamhaus works with Law Enforcement and cyber-crimes teams worldwide, helping them not only to block these miscreants, but also to bring them to justice.

Adding Spamhaus to your spam filtering rules is straightforward; You’ll need to make a small change to SpamLookup’s configuration. To fix follow these simple instructions:

1. Login to Movable Type. (Your account will need to have System Administrator privileges.)
2. Click on the “Plugins” link in the main navigation on the left hand side.
3. Look for the “SpamLookup - Lookups” plugin set listed among your other plugins.
4. Click “Show Settings.”
5. Under “IP Blacklist Services” highlight and replace the text “opm.blitzed.org” with “zen.spamhaus.org”.
6. Click “Save Settings.”

That’s it — your sites’s visitors should experience faster commenting times immediately, and your blog will keep blocking known spammers. If you need more information on fighting spam on your blog, take a look at the Movable Type Spam-Fighting resources on the community wiki, or contact Movable Type support for assistance.

This evening we released many enhancements to our TypeKey authentication service. For this release we addressed some lingering issues, and implemented several new features. Here are some of the highlights.

• For new users, we streamlined the registration and account activation process.
• When you login to TypeKey, you can now elect to have the system remember you for up to two weeks, streamlining the commenting process for users who comment on TypeKey-enabled blogs frequently.
• We introduced a new page that is displayed to TypeKey users if their email sharing preference conflicts with the requesting site's email address collection requirements.

A note to developers that have built applications that integrate with TypeKey: this release does not change the TypeKey protocol, and should not have any impact on your applications.

We're very excited about this release, and hope that it will simplify the TypeKey registration and authentication process.

Today we are releasing a patch to fix an issue for customers running Movable Type versions 3.16 or 3.17 and using UTF-8 character encoding on their weblogs. Specifically, a bug introduced in Movable Type 3.16 causes the dirify routine to preserve dashes in transformed text where, historically, it has suppressed them. This could be problematic because the dirify routine is used to create all URLs in Movable Type.

While default Movable Type installations are not adversely affected by this bug, there are certain common or legacy customizations (which will be detailed below) that could cause problems. For that reason, if you are using UTF-8 and MT 3.16 or 3.17, we suggest that you download and install the patch just to be safe. The steps are as follows:

1. Download the patch plugin (1K): tar/gzip (good for Unix), zip (good for Windows)
2. Uncompress the file as you would Movable Type (e.g. double click it or use a decompression program like Winzip or Stuffit)
3. Upload the uncompressed file (named patch-20050616-utf8dirify-nodash.pl) to the 'plugins' folder of your main Movable Type application directory.
4. Rebuild any templates or archives that published statically

More details on the bug and the patch can be found below. We apologize for any inconvenience that this may have caused and thank those of you who brought the issue to light.

Just a short note to those of you who may have tried to contact us recently: Apparently, we've had some trouble with the hamsters[*] who power our contact forms — most noticeably between Feb 28th-March 1st.

If you tried to contact us and haven't heard back, please re-send your inquiry through either through the contact form or to contact@sixapart.com, and we'll make sure it gets answered.

Sorry about the inconvenience and thanks for your patience.

[*] - Don't worry. They are treated well and also have dental insurance but simply went on vacation without telling us...

Version 3.15 fixes a vulnerability in the mail sending packages for all Movable Type versions in which the user has enabled comment notifications. This vulnerability allows a malicious user to send email through the application to any number of arbitrary users.

All Movable Type users should install this update.

If you already purchased Movable Type, or downloaded the free version, you’ll be able to download the new release for free from your Movable Type account.

For those users who don't want to do a full upgrade just yet, we are also making this fix available in the form of a plugin: zip (1K) or tar/gz (1K) archive. This plugin is compatible with all 3.x versions as well as v2.661 (and perhaps even older versions although they haven't been tested) and affords your installation the same exact protections as v3.15 provides.

Full details of the release changes can be found in the changelog.

We apologize for this oversight and thank you for being patient. You can bet we like spammers less than you do.

UPDATE: It should be noted that the default Movable Type installation is not vulnerable to this exploit as comment notifications must be enabled in order for it to be effective. The post above has been modified to reflect that fact.

The "Email this to a friend" functionality in the mt-send-entry.cgi script is vulnerable to being used by spammers to send spam messages. In principle, all "email this to a friend" programs are vulnerable to being used by spammers, because they allow the user to specify a To: address and a message body. But in practice, MT's implementation of this is not as robust as it should be, and a new version is available below.

This fix is already included in all versions of MT 2.64 downloaded from today on.

If you're not using this functionality at all, we recommend that you simply remove mt-send-entry.cgi from your MT directory. MT doesn't have any hooks to use this script by default anyway, so you won't be breaking your MT installation.

If you are using this functionality on your MT weblog, you should download this package with a new version of mt-send-entry.cgi, unzip it, and replace the version of mt-send-entry.cgi on your server. The new version:

• fixes a vulnerability that allows spammers to inject extra headers into messages;
• removes the ability to send the message to multiple recipients;
• restricts the message to 250 characters.

All of these fixes serve to discourage the script being used by spammers.

If you upgraded to 2.6 or 2.61, you need to upgrade immediately to 2.62. There is a security vulnerability in 2.6 and 2.61. If you have already upgraded, you can either download the upgrade distribution and perform a normal upgrade, or download the Author.pm file to replace the lib/MT/Author.pm on your server.

We're sorry for the inconvenience this may have caused. Because beta-testing with the number of testers we use makes it difficult to catch all bugs, we will most likely be implementing public beta tests in the future.

Movable Type 2.21 has now been released with a very important bug fix to the MySQL schema.

The bug was that the created_on columns were timestamp fields, which means that MySQL updates them when an explicit value is not provided for them--this modifies the Authored On dates of any entries you modify. This bug will not occur if you are using MT itself, but only if you try to issue an insert or update command from the mysql client, phpMyAdmin, or another client tool. Thanks to shanson for finding this bug.

Version 2.21 has an updated schema that fixes the problem. So:

If you have not yet upgraded to 2.21 or installed Movable Type:
You can just install the system as normal, because the fixed schema has been integrated into the distribution.

If you have already upgraded, AND you are using the MySQL support:
1. Upgrade to 2.21 per the usual upgrade instructions.
2. Download this additional file and unpack it. It contains a CGI script called mt-upgrade221.cgi.
3. Upload mt-upgrade221.cgi to your webserver in ASCII mode into the directory containing mt.cgi.
4. CHMOD mt-upgrade221.cgi to 755
5. Run mt-upgrade221.cgi from your web browser. It should list the "alter table" statements that it is performing, then tell you that "all went well". If so, you're upgraded successfully, and you can delete mt-upgrade221.cgi from your server.

If you have already upgraded, and you are not using the MySQL support:
It is not urgent that you upgrade to 2.21, although there are some other small bug fixes in this release. Note: if you're not using MySQL, you don't have to run mt-dbupgrade221.cgi.

Here's the full changelog. The upgrade and full install for 2.21 can be download from the download page.

We made a rather messy mistake of naming the default stylesheet included in 1.4 "styles.css" because that clashes (if stored in the same directory) with the name of the stylesheet used by the MT app.

If you haven't downloaded 1.4 yet, don't worry -- a correction has already been made to the distribution.

If you have downloaded 1.4 and just happened to wipe out your MT system stylesheet, you will need to re-upload the styles.css that was in the distribution into the directory containing mt.cgi. Then go into MT, and change the name of the Stylesheet index template to "styles-site.css" (or something), then change each of the templates to use this new stylesheet name (rather than styles.css).

If you have downloaded 1.4 and nothing seems amiss, then it is because the two stylesheets are in separate directories.