It's always a pleasure for me to announce that Six Apart launches a new movable type release.
The pleasure is even higher when the update contains a combination of new features, bug fixes and isolated security issues.
There are almost 8 months from the previous release and many may have wondered if this product is further developed or not. Those that are aware of this place
) know that Six Apart Japan is working on every single day to make this product even better.
When movable type celebrated 10 years Jun Kaneko wrote a nice post called "Status of Movable Type development
". In that post he was showcasing the number of fixed and implemented cases over time and clearly shows that the work on improving movable type is stronger than ever.
You could judge the amount of excellent work that has been done from this version release note.
The main thing that you should be aware of and the main reason to immediate upgrade your installation is that this version fixes multiple vulnerabilities which include:
- OS Command Injection exists in the file management system, the most serious of which may lead to arbitrary OS command execution by a user who has a permission to sign-in to the admin script and also has a permission to upload files.
- Session Hijack and CSRF exist in the commenting and the community script. A remote attacker could hijack the user session or could execute arbitrary script code on victim's browser under the certain circumstances.
- XSS exists in templates where the variables are not escaped properly. A remote attacker could inject client-side script into web pages viewed by other users.
- XSS exists in mt-wizard.cgi. This vulnerability was reported by Trustwave (Trustwave's SpiderLabs Security Advisory TWSL2012-002)
You may have learned on your skin that movable type v5.x didn't support Internet Explorer 9 as well as the latest versions of Firefox and Safari. Movable Type v5.13 is now compatible with all these browsers.
Movable Type considers security the main priority given the more and more attempts to exploit vulnerabilities across today's technologies.
What movable type adds to v5.13 in this respect is:
Account and IP Lockout
Account lockout is a feature to protect your Movable Type account from a password-guessing attack known as a brute force attack or a dictionary attack. Movable Type locks out accounts after defined number of incorrect password attempts.
Changing Password Validation Rules
A system administrator can set password validation policies to let users to use stronger passwords.
Stronger Password Encryption
I was myself signaling that movable type was recognizing only the first 8 characters of the password and that we need to make passwords stronger, now that there are so many *jerks* trying to penetrate various resources online.
Well, I'm delighted to announce that movable type v5.13 introduces a stronger password encryption algorithm which recognizes the password in its full length.
Six Apart also mentioned:
When you upgrade your installation from the older versions to 5.13, Movable Type users still can sign-in to the installation with the old passwords, but it is recommended to update their passwords to utilize this change.
Due to this change, the database column length of author_password was changed from 60 to 124.
You may like to take a look at them online at:
Movable Type Upgrade Consultant
Before closing let me remind you that I'm a movable type consultant available to upgrade your movable type installation, as well do any other movable type or web development work you might need.
As always, I've upgraded the movable type v4.x and v5.x installations available for online demo to the latest releases and you could access any of these installations from the top navigation menu (selecting "v4x" or "v5x").