Is this initiative useful for you?

Make a paypal donation or get your movable type project done with PRO IT Service - The Excellence In Web Development.

We're the right people for movable type consultancy services including: installations, upgrades, themes, templates, consultancy, troubleshooting as well as hosting.

The complete range of movable type services you might be looking for!

This is a personal website and doesn't have anything to do with Six Apart nevertheless Chris Alden, the former Six Apart CEO, appreciated my idea when he saw it available online.

Recently in Security Update Category

Movable Type v4.2x and v4.3x Security Patch

user-pic
By Mihai Bocsaru on January 16, 2013 10:55 PM 0 0 Vote 0 Votes
Dear Friends,

Six Apart identified a security issue on movable type v4.2x and v4.3x installations.

The problem is that through the "mt-upgrade.cgi" script OS command injection or SQL injection could be performed and these actions might open a vulnerability.

This vulnerability affects all versions, namely: open source, professional and enterprise.

You could address this issue by implementing the patch from:

Or by either deleting the "mt-upgrade.cgi" script or by setting its file permission to 000.

I would strongly recommend you to implement this patch or follow the other 2 actions I've mentioned above ASAP.

If you need help on implementing this patch or on upgrading movable type to v5.2.2 I'm available.

Kind Regards,
Mihai Bocsaru

Movable Type 5.13, 5.07, and 4.38 Security Updates

user-pic
By Mihai Bocsaru on February 23, 2012 3:41 AM 0 0 Vote 0 Votes
It's always a pleasure for me to announce that Six Apart launches a new movable type release.

The pleasure is even higher when the update contains a combination of new features, bug fixes and isolated security issues.

There are almost 8 months from the previous release and many may have wondered if this product is further developed or not. Those that are aware of this place (http://bugs.movabletype.org) know that Six Apart Japan is working on every single day to make this product even better.

When movable type celebrated 10 years Jun Kaneko wrote a nice post called "Status of Movable Type development". In that post he was showcasing the number of fixed and implemented cases over time and clearly shows that the work on improving movable type is stronger than ever.

You could judge the amount of excellent work that has been done from this version release note.


Vulnerabilities' Fixes


The main thing that you should be aware of and the main reason to immediate upgrade your installation is that this version fixes multiple vulnerabilities which include:

  • OS Command Injection exists in the file management system, the most serious of which may lead to arbitrary OS command execution by a user who has a permission to sign-in to the admin script and also has a permission to upload files.
  • Session Hijack and CSRF exist in the commenting and the community script. A remote attacker could hijack the user session or could execute arbitrary script code on victim's browser under the certain circumstances.
  • XSS exists in templates where the variables are not escaped properly. A remote attacker could inject client-side script into web pages viewed by other users.
  • XSS exists in mt-wizard.cgi. This vulnerability was reported by Trustwave (Trustwave's SpiderLabs Security Advisory TWSL2012-002)


New Features


Supported Browsers


You may have learned on your skin that movable type v5.x didn't support Internet Explorer 9 as well as the latest versions of Firefox and Safari. Movable Type v5.13 is now compatible with all these browsers.


Security Enhancements


Movable Type considers security the main priority given the more and more attempts to exploit vulnerabilities across today's technologies.

What movable type adds to v5.13 in this respect is:

  • Account and IP Lockout

    Account lockout is a feature to protect your Movable Type account from a password-guessing attack known as a brute force attack or a dictionary attack. Movable Type locks out accounts after defined number of incorrect password attempts.

  • Changing Password Validation Rules

    A system administrator can set password validation policies to let users to use stronger passwords.

  • Stronger Password Encryption

    I was myself signaling that movable type was recognizing only the first 8 characters of the password and that we need to make passwords stronger, now that there are so many *jerks* trying to penetrate various resources online.

    Well, I'm delighted to announce that movable type v5.13 introduces a stronger password encryption algorithm which recognizes the password in its full length.

    Six Apart also mentioned:

    When you upgrade your installation from the older versions to 5.13, Movable Type users still can sign-in to the installation with the old passwords, but it is recommended to update their passwords to utilize this change.

    Due to this change, the database column length of author_password was changed from 60 to 124.


Other Enhancements


In total there are 65 cases detailed at http://movabletype.fogbugz.com/ which are now part of this movable type v5.13 release.

You may like to take a look at them online at:


Movable Type Upgrade Consultant


Before closing let me remind you that I'm a movable type consultant available to upgrade your movable type installation, as well do any other movable type or web development work you might need.

Contact me from the contact page if you need a quote!

P.S.

As always, I've upgraded the movable type v4.x and v5.x installations available for online demo to the latest releases and you could access any of these installations from the top navigation menu (selecting "v4x" or "v5x").

Many thanks,
Mihai Bocsaru

More Vulnerabilities Fixed: Security Updates: All Movable Type v4.x and v5.x versions!

user-pic
By Mihai Bocsaru on June 28, 2011 9:15 PM 0 0 Vote 0 Votes
As Jun Kaneko from Six Apart KK pointed out recently, his crew is working on auditing the core of this excellent publishing platform and would continue to come up with improvements and security fixes.

On June the 22nd Six Apart KK announced movable type v5.12, v5.06 and v4.37 as mandatory security updates mentioning that these updates resolve multiple vulnerabilities discovered in Movable Type 5.x and Movable Type 4.x and that all users must upgrade to this latest release immediately.

The impact of the vulnerabilities is described as:

Under certain circumstances, a user who has "Create Entries" or "Manage Blog" pemissions may be able to read known files on the local file system.


Go ahead and upgrade your installation right away or hire me to upgrade it on your behalf.

Movable Type Installation Upgraded to v4.37

Movable Type Installation Upgraded to v5.12


Find these releases available under the "v4x" and "v5x" pages from the top navigation.

Happy testing!

Security Updates: All Movable Type v4.x and v5.x versions!

user-pic
By Mihai Bocsaru on June 9, 2011 12:43 PM 0 0 Vote 0 Votes
Today Six Apart KK announced movable type v4.361, movable type v5.11 and movable type v5.051 as mandatory security updates.

These updates resolve critical vulnerabilities discovered in Movable Type 4.x and Movable Type 5.x.

The impact of the vulnerabilities is that a remote attacker could create, read or modify the contents in the system under certain circumstances.

All users must upgrade to this latest release immediately.

N.B.

If you need help on upgrading your installation(s), I'm available.

Movable Type Installation Upgraded to v4.361

Movable Type Installation Upgraded to v5.11

Mandatory Security Updates: Movable Type v4.36 and v5.05

user-pic
By Mihai Bocsaru on May 26, 2011 2:04 AM 0 0 Vote 0 Votes
Dear Friends,

Today movable type released movable type v4.36 and v5.05 as mandatory security updates.

If you are running movable type v4.35 upgrade it to v4.36, and if you are using movable type v5.0x upgrade it to v5.05.

In case you need somebody to upgrade your movable type installation, I'm available.

movable type upgraded to v4.36

I've also upgraded movable type v4.x to v4.36. This release is available from:

Kind Regards,
Mihai Bocsaru
« Patches | Blog Home | Archives

Recent

Services

We would love to work on any movable type jobs you might have! To find out more about the movable type services we're offering click here.

You may like to know that we're offering a broad range of web development services as well as professional website hosting service in partnership with Pair Networks, Inc. from Pittsburgh, PA, USA.

Check out everything we're proudly doing by visiting http://www.pro-it-service.com/

Newsletter

Would you like to be updated every time there is a movable type release? If you do, then subscribe for email updates filling out the form below.

Subscribe

Delivered by FeedBurner

Open Melody

Did you know that "open melody" is a new, open source CMS meant to continue the development from movable type v4.x series?

We've established an absolutely free evaluation service for you to check this product.

Open Melody

http://www.openmelodydemo.org/

@ PRO IT Service we are offering a full range of movable type and open melody services!

  • Facebook
  • Twitter
  • Elsewhere