Is this initiative useful for you?

Make a paypal donation or get your movable type project done with PRO IT Service - The Excellence In Web Development.

We're the right people for movable type consultancy services including: installations, upgrades, themes, templates, consulting, troubleshooting as well as hosting.

The complete range of movable type services you might be looking for!

This is a personal website and doesn't have anything to do with Six Apart nevertheless Chris Alden, the former Six Apart CEO, appreciated my idea when he saw it available online.

Recently in Security Update Category

Six Apart launched today v6.3.6 and v6.2.7 as mandatory security releases.

An issue with the "Edit Template" privilege on websites and blogs has been fixed.

The release note is:

[Important] Fixed an issue where the 'Edit Template' privilege on websites or blogs are still enabled even if the 'Edit Template' system privilege is revoked from a user. (#114845 / #114958)

Affected versions are all the movable type pro and advanced versions.

Six Apart didn't make available patches for v6.1.x or older version of movable type v6, because those already reached their EOL (end of life) cycle.

They highly recommend upgrading to the latest version.


In order to evaluate movable type v6.3.6, please go to:

And login using:

- u: demo

- p: testthis


On June 22nd, 2016, Six Apart issued Movable Type v6.2.6 as a mandatory security update which fixes "An issue involving possible SQL injection originating through the XML-RPC interface".

This version addresses also an issue with log rotation on Movable Type for AWS.

You are not required to upgrade if you've disabled the XML-RPC script.


Six Apart released today movable type v6.2.4.

This version includes a security patch which affects movable type v6.2 and movable type v6.2.2.

The issue is involving XSS on the new upload dialog. It is strongly recommended to upgrade your v6.x installation ASAP.

Apart from the security patch, this new version includes lots of other new and improved functions, as well as so many big fixes.

To summarize just a few items:

  • an improved new upload screen with the ability to easy cancel uploads;
  • an updated Data API (v3, actually v3.1);
  • a few new configuration directives;
  • the activity log will record blog cloning and category updates;
  • assets improvements;
  • entries and pages improvements;
  • movable type advanced improvements;
  • dynamic publishing improvements;
  • dashboard improvements;
  • themes improvements;
  • templates improvements;
  • template tags improvements;
  • and more.

Here we go with the complete list of the latest development:

Security Patches

Medium: An issue involving XSS on the new upload dialog has been fixed. This issue occurs on 6.2.x versions only.

New & Improved Functions

Improved New Upload Screen

We've revised new upload screen UI to make it easier to use.

The droppable area will be wide

The area that accepts a dropped file was changed to the entire screen or the entire area of ??the modal dialog. The droppable area that displayed on the upload screen has been removed by this change. The droppable area will appear if you drag files.

The waiting files are always displayed on top of the list

The order of upload file list was changed. This change make it possible to cancel uploading easily.

Data API v3

Internal version of the API will be 3.1. The endpoint version is still "/v3/".

New endpoint to get the API version

Added a new endpoint to get the API version that returns endpoint version and internal API version. Your application can judge API version after launching.

GET /version



    "endpointVersion": "v3",
    "apiVersion": "3.1"

The major version of API that used in the endpoint URI.

The internal API version. We bump up the version number if minor change or bug fix occurs.

New resource fields for Sites are available

It is possible to get the value for default upload destination and default upload options that were added in Movable Type 6.2. Please see below for a list of new fields.

  • uploadDestination.path
  • upload_destination.raw
  • extraPath
  • allowToChangeAtUpload
  • operationIfExists
  • normalizeOrientation
  • autoRenameNonAscii

Also, please see below for full reference of Data API.

Revised the data format for Date and Time field of CustomFields

In previous versions, the value of Date and Time fields always returned raw data (e.g. 20151218120000) even if the option is specified. Also you should specify the data with the same format for update.

From this version, it will be able to perform the get and set in a format depending on the option.


Data Format
iso 8601 datetime



Data Format
date only



Data Format
time only


New Configuration Directives

BasenameCheckCompat (0 | 1)

If set to 1, MT will perform the duplicate check for basename by combination of folders and basename. The default value is 0 (disabled).


The script name for full text search script. The default value is mt-ftsearch.cgi


  • The activity log will be recorded when making a clone of a blog.
  • The activity log will be recorded when updating a category.
  • Entry graph always appears even if cannot connect to the Google Analytics.

Updated Functions

Data API

  • The "date and time" field type with a value of empty now sets value as "null" instead of "0000-00-00T00:00:00 + TZ".

Template Tags

  • If the result of MTBlogRelativeURL does not end with slash, a slash is added automatically.
  • The result of MTArchiveCount is changed to always return 1 if it is in the Individual Archive.


  • mixiCommenter plugin is no longer bundled because they discontinued their OpenID Authentication service.
  • MT::App::Search::Legacy application is no longer mounted automatically if running on PSGI environment.

Resolved Issues

Data API

  • Asset attaching now works when saving a page. (#113213)
  • The validation for required field now works (#112854)
  • createEntry, updateEntry, createPage and updatePage now accepts empty array of categories, folders and assets. (#113613)
  • The default value will be returned when the value of customfields is empty. (#113697, #113699)

Movable Type Advanced

  • Upgrade function now works when using LDAP with SSL. (#113687)


  • The thumbnail in the uploaded-list now displays correct image when uploading a different image with the same filename. (#113669)
  • On the image editor, the selected area and operation area now points to same area. (#113434)
  • Creating a thumbnail of a tiff image is now works when the image driver is set to Imager. (#113464)
  • File uploading now works when the filename is more than 21 bytes and it has no file extension. (#113483)
  • The filter of asset type on the asset listing dialog now works when the mt_asset table schema is extended by a plugin. (#113651)
  • The search on the asset listing dialog now works. (#113728)
  • On the Windows environment, image resizing now works when the image driver is set to ImageMagick. (#112908)

Entries & Pages

  • The date-based archive files are now removed when the entry status is changed to unpublish. (#112656)
  • Unnecessary tag is never inserted in the content when the entry format is set to 'Textile2'. (#112878)
  • The duplicate check method for the page is now changed to use the permalink-based. (#113703)
  • The 'Boilerplate' menu is now displayed when the user has system administrator only. (#113626)

Content Sync (Movable Type Advanced)

  • Content syncing now works when the directory name of the source contains Japanese characters. (#113688)
  • The validation error message now disappears when the entered sync datetime is correct. (#113764)

Dynamic Publishing

  • Prevents 503 error when memcached is enabled. (#113603)
  • The modifier that named 'class_type' now works with MTEntries. (#113641)
  • MTAssets tag now works in the multiblog context. (#113324)
  • An entry or page created with Markdown now renders when running with PHP5.5x. (#113633)


  • The entries graph in the Site Stats widget now works when Google Analytics is already configured but service is unreachable. (#110417)


  • The search term is no longer double encoded when it contains HTML. (#113719)


  • The revision history is now logged when the file link is modified. (#112277)
  • The preview of a category template is now made with real data. (#113570)
  • Unnecessary warning no longer appears when saving a template. (#113622)
  • The user archive page no longer contains other user's entries when a user does not have published entries. (#113704)

Template Tags

  • MTCommentIfModerated returns correct results as written in the documentation. (#113363)
  • The build error now detects when the error occurs in the module that is loaded by MTIncludeBlock. (#113220)
  • The value of customfields for template of the current context is now gettable when that is in the MTIndexList block. (#113648)
  • MTArchiveCount returns correct value when used in the date-based archive page. (#113577)


  • Revised the description for IO::Socket::SSL in the mt-check.cgi and mt-wizard.cgi. (#112904)
  • The mail header no longer contains bcc address when EmailNotificationBcc is enabled. (#112989)
  • Site Stats cache is now cleared even if too many users exists in the system. (#113652)
  • The mt-ftsearch.cgi now does not return same result of mt-search.cgi. (#112784)
  • The search term is no longer double encoded when it contains HTML. (#113726)


Go ahead and try this version from:

Login using:

- username: demo

- password: testthis




Kind Regards,

Mihai Bocsaru

Yesterday, April 14th, Six Apart issued Movable Type v6.0.8 and Movable Type v5.2.13 as mandatory security updates.

These versions are solving the following two important security issues:

  • An issue involving possible to Remote Code Execution has been fixed. (#112921) (CVE-2015-0845)
  • An issue that makes it possible to run Install-Wizard even if mt-config.cgi file exists, has been fixed. (#112924)

Upgrading your installation to one of these versions, I would say to v6.0.8, is very important.
Dear Friends,

Yesterday, February the 11th, 2015, Six Apart launched a mandatory security release of its v5.1.x, v5.2.x and v6.0.x versions.

According to the announcement that Six Apart made available, this security release addresses a security issue due to vulnerability of the Storable perl module.

With this occasion, Six Apart announced that the versions v5.0.x and v5.1.x reached their end of life cycle, the currently developed version being v6.x, while v5.2.x will continue to receive security fixes, as security issues are revealed.

Make sure to upgrade your installation ASAP!

Another idea is to upgrade directly to v6.1 which was released right after the movable type v6.0.7 security release and which includes a lot of other improvements.

More details at:


To evaluate the product, please go to:

And login as:
- username: demo
- password: testthis

Many thanks,
Mihai Bocsaru
On December the 9th, Six Apart launched a mandatory security update in the form of movable type v6.0.6, v5.2.11 and v5.18.

You should know that a vulnerability has been discovered in the Movable Type XML-RPC interface.

This vulnerability could be resolved by upgrading to one of the versions above, or it could be solved by disabling the 'mt-xmlrpc.cgi' script. An easy way to disable it is to remove its execute permissions.

On the other hand, be aware that if you disable the above mentioned .cgi script, your movable type installation won't be able to send out pings, such as say to ping the web services that you might have configured for your blog/website.

Worth mentioning is that this version, apart from fixing a security issue, includes also a bug fix related to the backup and restore feature. From now on, when restoring from a compressed backup file, items included with the backup file will also be restored.

Take a look at the latest product from:

Login as:
- username: demo
- password: testthis

Happy Testing!
On April 9th, 2014, Six Apart launched Movable Type v6.0.3.

This release include a number of bug fixes, a new configuration directive and a security fix.

The newly introduced directive is called 'DBBlobMaxLen' and it would allow you to set the database driver buffer size. You could increase this setting beyond 512KB using this directive, but pay attention because this would raise your server CPU usage.

As for the bug fixes, you should know that the following areas have been improved:


A problem with data not being displayed properly on the Site Stats widget graph has been fixed.

Entries and pages

A problem that occurred when having the 'PreviewInNewWindow' configuration directive enabled has been fixed. The problem was that entry or page preview temporary files weren't automatically deleted with this directive was enabled.


A problem that occurred when having the 'RPTProcessCap' directive enabled has been fixed. Sometimes the number of run-periodic-tasks processes that can run simultaneously on the server was not respected.

Finally, the error "Cannot find column 'blogs' for class 'MT::Blog'" that was occurring under certain situations upon browsing to the Dashboard page has been corrected.

Since a security fix is involved it is recommended that you upgrade your installation ASAP. If you need any help, I'm available.

You could evaluate movable type v6.0.3 from:

Login as:
- username: demo
- password: testthis
In November the 15th, 2013, Six Apart released a mandatory security update for movable type v5x and v6x.

The security issue that was identified and fixed is related to the Rich Text Editor present in movable type v5 and v6 which was susceptible to cross-site scripting (XSS) attacks.

A remote attacker could have injected JavaScript into a page or an entry from within a movable type blog or parent website.

Furthermore, that JavaScript coding could have been executed on the client browser when that page or entry would have been displayed in the Rich Text Editor.

It is strongly recommended that all installations running movable type v5.x or v6.x are upgraded to the latest release. If you need another pair of hands for upgrading your movable type installation I'm available.
Dear Friends,

Six Apart identified a security issue on movable type v4.2x and v4.3x installations.

The problem is that through the "mt-upgrade.cgi" script OS command injection or SQL injection could be performed and these actions might open a vulnerability.

This vulnerability affects all versions, namely: open source, professional and enterprise.

You could address this issue by implementing the patch from:

Or by either deleting the "mt-upgrade.cgi" script or by setting its file permission to 000.

I would strongly recommend you to implement this patch or follow the other 2 actions I've mentioned above ASAP.

If you need help on implementing this patch or on upgrading movable type to v5.2.2 I'm available.

Kind Regards,
Mihai Bocsaru
It's always a pleasure for me to announce that Six Apart launches a new movable type release.

The pleasure is even higher when the update contains a combination of new features, bug fixes and isolated security issues.

There are almost 8 months from the previous release and many may have wondered if this product is further developed or not. Those that are aware of this place ( know that Six Apart Japan is working on every single day to make this product even better.

When movable type celebrated 10 years Jun Kaneko wrote a nice post called "Status of Movable Type development". In that post he was showcasing the number of fixed and implemented cases over time and clearly shows that the work on improving movable type is stronger than ever.

You could judge the amount of excellent work that has been done from this version release note.

Vulnerabilities' Fixes

The main thing that you should be aware of and the main reason to immediate upgrade your installation is that this version fixes multiple vulnerabilities which include:

  • OS Command Injection exists in the file management system, the most serious of which may lead to arbitrary OS command execution by a user who has a permission to sign-in to the admin script and also has a permission to upload files.
  • Session Hijack and CSRF exist in the commenting and the community script. A remote attacker could hijack the user session or could execute arbitrary script code on victim's browser under the certain circumstances.
  • XSS exists in templates where the variables are not escaped properly. A remote attacker could inject client-side script into web pages viewed by other users.
  • XSS exists in mt-wizard.cgi. This vulnerability was reported by Trustwave (Trustwave's SpiderLabs Security Advisory TWSL2012-002)

New Features

Supported Browsers

You may have learned on your skin that movable type v5.x didn't support Internet Explorer 9 as well as the latest versions of Firefox and Safari. Movable Type v5.13 is now compatible with all these browsers.

Security Enhancements

Movable Type considers security the main priority given the more and more attempts to exploit vulnerabilities across today's technologies.

What movable type adds to v5.13 in this respect is:

  • Account and IP Lockout

    Account lockout is a feature to protect your Movable Type account from a password-guessing attack known as a brute force attack or a dictionary attack. Movable Type locks out accounts after defined number of incorrect password attempts.

  • Changing Password Validation Rules

    A system administrator can set password validation policies to let users to use stronger passwords.

  • Stronger Password Encryption

    I was myself signaling that movable type was recognizing only the first 8 characters of the password and that we need to make passwords stronger, now that there are so many *jerks* trying to penetrate various resources online.

    Well, I'm delighted to announce that movable type v5.13 introduces a stronger password encryption algorithm which recognizes the password in its full length.

    Six Apart also mentioned:

    When you upgrade your installation from the older versions to 5.13, Movable Type users still can sign-in to the installation with the old passwords, but it is recommended to update their passwords to utilize this change.

    Due to this change, the database column length of author_password was changed from 60 to 124.

Other Enhancements

In total there are 65 cases detailed at which are now part of this movable type v5.13 release.

You may like to take a look at them online at:

Movable Type Upgrade Consultant

Before closing let me remind you that I'm a movable type consultant available to upgrade your movable type installation, as well do any other movable type or web development work you might need.

Contact me from the contact page if you need a quote!


As always, I've upgraded the movable type v4.x and v5.x installations available for online demo to the latest releases and you could access any of these installations from the top navigation menu (selecting "v4x" or "v5x").

Many thanks,
Mihai Bocsaru


We would love to work on any movable type jobs you might have! To find out more about the movable type services we're offering click here.

You may like to know that we're offering a broad range of web development services as well as professional website hosting service in partnership with Pair Networks, Inc. from Pittsburgh, PA, USA.

Check out everything we're proudly doing by visiting


Would you like to be updated every time there is a movable type release? If you do, then subscribe for email updates filling out the form below.


Delivered by FeedBurner

  • Facebook
  • Twitter
  • Elsewhere