Mar 1 2012

Movable Type 5.13, 5.07, and 4.38 patch to fix the plugin template load error

« Previous | News Blog | Next » By Jun Kaneko

Note : This patch was updated on the 5th of March, 2012 after the initial release on the 1st of March. If you still see the "Template load error" after applying the initial patch, please download again and re-apply the patch.

Thanks to the community feedback, we found an issue in Movable Type 5.13, 5.07, and 4.38 Security Updates and created a patch to resolve it. Due to the more strict policy in 5.13, 5.07 and 4.38, some plugins produce the "Template load error". There are two ways to resolve this error:

It is recommended to (1) fix the plugin because AllowFileInclude weakens the protection against malicious plugins and templates. Please do not forget to disable AllowFileInclude directive once you update your plugin to the fixed version.

Please refer to the following pages for details.

If you are not seeing this "Template load error" after your upgrade, you don't need to apply this patch. This patch will be included in the next release of Movable Type.

Feb 21 2012

Movable Type 5.13, 5.07, and 4.38 Security Updates

« Previous | News Blog | Next » By Jun Kaneko

Movable Type 5.13, 5.07, and 4.38 were released as mandatory security updates. These updates resolve multiple vulnerabilities discovered in Movable Type 5.x and Movable Type 4.x. The vulnerabilities were found as a result of our internal security audit, except the one reported from Trustwave (TWSL2012-002). All users must upgrade to this latest release immediately.

Impact

5.13, 5.07, and 4.38 address the multiple vulnerabilities including:

  • OS Command Injection exists in the file management system, the most serious of which may lead to arbitrary OS command execution by a user who has a permission to sign-in to the admin script and also has a permission to upload files.
  • Session Hijack and CSRF exist in the commenting and the community script. A remote attacker could hijack the user session or could execute arbitrary script code on victim's browser under the certain circumstances.
  • XSS exists in templates where the variables are not escaped properly. A remote attacker could inject client-side script into web pages viewed by other users.
  • XSS exists in mt-wizard.cgi. This vulnerability was reported by Trustwave (Trustwave's SpiderLabs Security Advisory TWSL2012-002)

Solution

Please upgrade to the latest versions of Movable Type 4 or Movable Type 5.

  • Movable Type Open Source 4.38
  • Movable Type Open Source 5.07
  • Movable Type Open Source 5.13
  • Movable Type 4.38( with Professional Pack, Community Pack)
  • Movable Type 5.07( with Professional Pack, Community Pack)
  • Movable Type 5.13( with Professional Pack, Community Pack)
  • Movable Type Enterprise 4.38
  • Movable Type Advanced 5.13

Here are the release notes for this release.

Upgrading to Movable Type 5.13, 5.07, or 4.38

Download

You can download the latest packages from these sites ( What is the difference? ).

Firstly, follow the instructions found in Movable Type's upgrade guide to upgrade your Movable Type installation.

Refresh Templates

As a result of security fixes in Movable Type 5.13, 5.06 and 4.38, some of the global templates and JavaScript template in each blog were updated. You need to refresh those templates to comment or to use Community features once you upgrade to Movable Type 5.13, 5.07, 4.38, or later version. Please refer to the following documentation.

Here are the details of template changes.

Changes in Movable Type 5.13, 5.07, and 4.38

You can see the complete list of fixed bugs at this FogBugz page.

Following significant changes have been made in Movable Type 5.13, 5.07, and 4.38.

New features in Movable Type 5.13

Supported Browsers

Movable Type 5.13 supports the following browsers and versions.

  • Internet Explorer 9
  • Firefox latest
  • Safari latest

Security Enhancements

Movable Type 5.13 introduces the following security features.

  • Account and IP Lockout
    Account lockout is a feature to protect your Movable Type account from a password-guessing attack known as a brute force attack or a dictionary attack. Movable Type locks out accounts after defined number of incorrect password attempts.
  • Changing Password Validation Rules
    A system administrator can set password validation policies to let users to use stronger passwords.
  • Stronger Password Encryption
Jun 22 2011

Movable Type 5.12, 5.06, and 4.37 Security Updates

« Previous | News Blog | Next » By Jun Kaneko

Movable Type 5.12, 5.06, and 4.37 were released as mandatory security updates. These updates resolve multiple vulnerabilities discovered in Movable Type 5.x and Movable Type 4.x. All users must upgrade to this latest release immediately.

The impact of the vulnerabilities

Under certain circumstances, a user who has "Create Entries" or "Manage Blog" pemissions may be able to read known files on the local file system.

Versions Affected

  • Movable Type Open Source 4.x
  • Movable Type Open Source 5.x
  • Movable Type 4.x ( with Professional Pack, Community Pack )
  • Movable Type 5.x ( with Professional Pack, Community Pack )
  • Movable Type Enterprise 4.x

Solution

Please upgrade to the latest versions of Movable Type 4 or Movable Type 5.

  • Movable Type Open Source 4.37
  • Movable Type Open Source 5.06
  • Movable Type Open Source 5.12
  • Movable Type 4.37( with Professional Pack, Community Pack)
  • Movable Type 5.06( with Professional Pack, Community Pack)
  • Movable Type 5.12( with Professional Pack, Community Pack)
  • Movable Type Enterprise 4.37
  • Movable Type Advanced 5.12

Download

(What is the difference?)

Installation/upgrade instructions

Fixed issues

The following issues were fixed in MT5.12.

  • 106303 Published URL was changed after upgrading to 5.1x

The following issues were fixed in Movable Type 5.12, 5.06, and 4.37.

  • 106307 Permission error when saving custom fields settings without a system administration privilege
Jun 8 2011

Movable Type 5.11 and 5.051, 4.361 Security Updates

« Previous | News Blog | Next » By Jun Kaneko

Movable Type 5.11, 5.051, 4.361 were released as mandatory security updates. These updates resolve multiple vulnerabilities discovered in Movable Type 5.x and Movable Type 4.x. All users must upgrade to this latest release immediately.

The impact of the vulnerabilities

A remote attacker could create, read or modify the contents in the system under certain circumstances.

Versions Affected

  • Movable Type Open Source 4.x
  • Movable Type Open Source 5.x
  • Movable Type 4.x ( with Professional Pack, Community Pack )
  • Movable Type 5.x ( with Professional Pack, Community Pack )
  • Movable Type Enterprise 4.x

Solution

Please upgrade to the latest versions of Movable Type 4 or Movable Type 5.

  • Movable Type Open Source 4.361
  • Movable Type Open Source 5.051
  • Movable Type Open Source 5.11
  • Movable Type 4.361( with Professional Pack, Community Pack)
  • Movable Type 5.051( with Professional Pack, Community Pack)
  • Movable Type 5.11( with Professional Pack, Community Pack)
  • Movable Type Enterprise 4.361
  • Movable Type Advanced 5.11

Download

(What is the difference?)

Installation/upgrade instructions

New features and fixed issues

Please see the release notes for new features and fixed issues in Movable Type 5.11, 5.051, and 4.361.

May 24 2011

Movable Type 5.1 and 5.05, 4.36 Security Updates

« Previous | News Blog | Next » By Jun Kaneko

After three months of the beta testing, the official release of the Movable Type 5.1 is now ready to download. Movable Type 4.36 and 5.05 are also released as mandatory security updates. These updates resolve multiple vulnerabilities discovered in Movable Type 5.x and Movable Type 4.

About Movable Type 5.1

Introducing Movable Type 5.1
View more presentations from Six Apart KK

Please see the following links for details.

Movable Type 5.1 includes a lot of feedback, patches and contributions from our community. Thank you very much for all of your help !

Movable Type 4.36 and 5.05 Security Updates

The impact of the vulnerabilities

A remote attacker could execute arbitrary code in a logged-in users' web browser. A remote attacker could read or modify the contents in the system under certain circumstances.

Versions Affected

  • Movable Type Open Source 4.x
  • Movable Type Open Source 5.x
  • Movable Type 4.x ( with Professional Pack, Community Pack )
  • Movable Type 5.x ( with Professional Pack, Community Pack )
  • Movable Type Enterprise 4.x

Solution

Please upgrade to the latest versions of Movable Type 4 or Movable Type 5.

  • Movable Type Open Source 4.36
  • Movable Type Open Source 5.05
  • Movable Type Open Source 5.1
  • Movable Type 4.36( with Professional Pack, Community Pack)
  • Movable Type 5.05( with Professional Pack, Community Pack)
  • Movable Type 5.1( with Professional Pack, Community Pack)
  • Movable Type Enterprise 4.36
  • Movable Type Advanced 5.1

Special thanks to Alfasado, Eldar Marcussen and other reporters for reporting these security issues.

Download

(What is the difference?)

Installation/upgrade instructions

Apr 20 2011

Movable Type 5.1 RC1

« Previous | News Blog | Next » By Jun Kaneko

The Movable Type 5.1 RC1 is now available to download. In Release Candidate 1, the development team has implemented all new features and fixed major bugs. If we don't find any new issues at the following regression test (and your feedback is also crucial at this final momement), Movable Type 5.1 will be ready to ship around the end of May. Please check the 5.1 schedule wiki for updates toward the production release !

Here is the release notes for Movable Type 5.1 RC1. Please note that minor cases are not listed here, please see FogBugz for all cases.

For more details:

Reporting Bugs

Your feedback is important to get Movable Type 5.1 ready for the final release. Without your feedback, it is almost impossible for developers to test the software in all of the various conditions that might occur. So please don't hesitate to create a new case.

We look forward to hearing from you !

Dec 7 2010

Movable Type 5.04 and 4.35 Security Update

« Previous | News Blog | Next » By Jun Kaneko

Movable Type 5.04 and Movable Type 4.35 were released today. These are mandatory security updates for all users. These updates resolve multiple vulnerabilities discovered in Movable Type 5.x and Movable Type 4.x.

Impact

A remote attacker could execute arbitrary code in a logged-in users' web browser. A remote attacker could read or modify the contents in the system under certain circumstances.

Versions Affected

  • Movable Type Open Source 4.x
  • Movable Type Open Source 5.x
  • Movable Type 4.x ( with Professional Pack, Community Pack )
  • Movable Type 5.x ( with Professional Pack, Community Pack )
  • Movable Type Enterprise 4.x

Solution

Please upgrade to the latest versions of Movable Type 4 or Movable Type 5.

  • Movable Type Open Source 4.35
  • Movable Type Open Source 5.04
  • Movable Type 4.35( with Professional Pack, Community Pack)
  • Movable Type 5.04( with Professional Pack, Community Pack)
  • Movable Type Enterprise 4.35
Oct 5 2010

Movable Type 5.031

« Previous | News Blog | Next » By Jun Kaneko | Comments (2)

Movable Type 5.031 was released today. This is a bugfix release without new features. It does not contain a security fix. Movable Type 5.031 fixed an issue in 5.03.

  • 104608 : "Script Error" occurs when opening the "rebuild_confirm" screen in some hosting environments.

Download

(What is the difference?)

Installation/upgrade instructions

Note: if you purchased a Movable Type license you can also purchase our installation or upgrade service and have all the work done by our excellent support team.

Found a bug? Need a feature?

  1. To avoid duplication of efforts, search existing bugs or feature requests (from the feedback page) before submitting a new bug.
  2. Head over to the bug report/feature request form and let us know!
Sep 26 2010

Movable Type will Continue Evolving !

« Previous | News Blog | Next » By Jun Kaneko | Comments (6)

After the recent announcement about Six Apart, some of you might have been wondering about the future of Movable Type. We can be very clear about that: of course we will continue development and support of this platform that now has a decade of history behind it.

  • Movable Type 4 remains rock-solid blogging software for all uses.
  • Movable Type 5 is a new step up for managing multiple sites.
  • Melody is driven by the most enthusiastic community of bleeding-edge developers.

All this software shares the same root: Movable Type, the publishing platform.

Movable Type 5.1 is in the final development phase, we are anticipating a Beta release early this winter. We are also planning another 4.x release to keep this mature branch up to date.

All these developments are open to the public. You can check our daily activities on FogBugz and in our code repositories. And just like every open source project, we appreciate your help to make Movable Type (even) Better !

Sep 8 2010

Movable Type 5.03

« Previous | News Blog | Next » By Jun Kaneko | Comments (2)

Movable Type 5.03 was released today. This is a bugfix release without new features. It does not contain any security fix. Details about the issues that were fixed can be found in the release note.

Download

(What is the difference?)

Installation/upgrade instructions

Note: if you purchased a Movable Type license you can also purchase our installation or upgrade service and have all the work done by our excellent support team.

Found a bug? Need a feature?

  1. To avoid duplication of efforts, search existing bugs or feature requests (from the feedback page) before submitting a new bug.
  2. Head over to the bug report/feature request form and let us know!
« MT Newsbox | Main Index | Archives | Press »