January 2013 Archives
Six Apart identified a security issue on movable type v4.2x and v4.3x installations.
The problem is that through the "mt-upgrade.cgi" script OS command injection or SQL injection could be performed and these actions might open a vulnerability.
This vulnerability affects all versions, namely: open source, professional and enterprise.
You could address this issue by implementing the patch from:
Or by either deleting the "mt-upgrade.cgi" script or by setting its file permission to 000.
I would strongly recommend you to implement this patch or follow the other 2 actions I've mentioned above ASAP.
If you need help on implementing this patch or on upgrading movable type to v5.2.2 I'm available.