Is this initiative useful for you?

Make a paypal donation or get your movable type project done with PRO IT Service - The Excellence In Web Development.

We're the right people for movable type consultancy services including: installations, upgrades, themes, templates, consultancy, troubleshooting as well as hosting.

The complete range of movable type services you might be looking for!

This is a personal website and doesn't have anything to do with Six Apart nevertheless Chris Alden, the former Six Apart CEO, appreciated my idea when he saw it available online.

Movable Type 5.13, 5.07, and 4.38 Security Updates

user-pic
By Mihai Bocsaru on February 23, 2012 3:41 AM 0 0 Vote 0 Votes
It's always a pleasure for me to announce that Six Apart launches a new movable type release.

The pleasure is even higher when the update contains a combination of new features, bug fixes and isolated security issues.

There are almost 8 months from the previous release and many may have wondered if this product is further developed or not. Those that are aware of this place (http://bugs.movabletype.org) know that Six Apart Japan is working on every single day to make this product even better.

When movable type celebrated 10 years Jun Kaneko wrote a nice post called "Status of Movable Type development". In that post he was showcasing the number of fixed and implemented cases over time and clearly shows that the work on improving movable type is stronger than ever.

You could judge the amount of excellent work that has been done from this version release note.


Vulnerabilities' Fixes


The main thing that you should be aware of and the main reason to immediate upgrade your installation is that this version fixes multiple vulnerabilities which include:

  • OS Command Injection exists in the file management system, the most serious of which may lead to arbitrary OS command execution by a user who has a permission to sign-in to the admin script and also has a permission to upload files.
  • Session Hijack and CSRF exist in the commenting and the community script. A remote attacker could hijack the user session or could execute arbitrary script code on victim's browser under the certain circumstances.
  • XSS exists in templates where the variables are not escaped properly. A remote attacker could inject client-side script into web pages viewed by other users.
  • XSS exists in mt-wizard.cgi. This vulnerability was reported by Trustwave (Trustwave's SpiderLabs Security Advisory TWSL2012-002)


New Features


Supported Browsers


You may have learned on your skin that movable type v5.x didn't support Internet Explorer 9 as well as the latest versions of Firefox and Safari. Movable Type v5.13 is now compatible with all these browsers.


Security Enhancements


Movable Type considers security the main priority given the more and more attempts to exploit vulnerabilities across today's technologies.

What movable type adds to v5.13 in this respect is:

  • Account and IP Lockout

    Account lockout is a feature to protect your Movable Type account from a password-guessing attack known as a brute force attack or a dictionary attack. Movable Type locks out accounts after defined number of incorrect password attempts.

  • Changing Password Validation Rules

    A system administrator can set password validation policies to let users to use stronger passwords.

  • Stronger Password Encryption

    I was myself signaling that movable type was recognizing only the first 8 characters of the password and that we need to make passwords stronger, now that there are so many *jerks* trying to penetrate various resources online.

    Well, I'm delighted to announce that movable type v5.13 introduces a stronger password encryption algorithm which recognizes the password in its full length.

    Six Apart also mentioned:

    When you upgrade your installation from the older versions to 5.13, Movable Type users still can sign-in to the installation with the old passwords, but it is recommended to update their passwords to utilize this change.

    Due to this change, the database column length of author_password was changed from 60 to 124.


Other Enhancements


In total there are 65 cases detailed at http://movabletype.fogbugz.com/ which are now part of this movable type v5.13 release.

You may like to take a look at them online at:


Movable Type Upgrade Consultant


Before closing let me remind you that I'm a movable type consultant available to upgrade your movable type installation, as well do any other movable type or web development work you might need.

Contact me from the contact page if you need a quote!

P.S.

As always, I've upgraded the movable type v4.x and v5.x installations available for online demo to the latest releases and you could access any of these installations from the top navigation menu (selecting "v4x" or "v5x").

Many thanks,
Mihai Bocsaru

Categories:

No TrackBacks

TrackBack URL: http://www.movabletypedemo.org/admin/mt/mt-tb.cgi/120

Leave a comment

Recent

Services

We would love to work on any movable type jobs you might have! To find out more about the movable type services we're offering click here.

You may like to know that we're offering a broad range of web development services as well as professional website hosting service in partnership with Pair Networks, Inc. from Pittsburgh, PA, USA.

Check out everything we're proudly doing by visiting http://www.pro-it-service.com/

Newsletter

Would you like to be updated every time there is a movable type release? If you do, then subscribe for email updates filling out the form below.

Subscribe

Delivered by FeedBurner

Open Melody

Did you know that "open melody" is a new, open source CMS meant to continue the development from movable type v4.x series?

We've established an absolutely free evaluation service for you to check this product.

Open Melody

http://www.openmelodydemo.org/

@ PRO IT Service we are offering a full range of movable type and open melody services!

  • Facebook
  • Twitter
  • Elsewhere