Movable Type v6.6 - Security Fixes and Many Other Improvements

Six Apart announced today Movable Type v6.6, a huge step forward both in terms of new and improved functions, updated functions and security fixes.

This release introduces support for PHP v7.4.

New and Improved functions

  • Add Table in RichText Editor.
  • Enable selecting tasks via run-periodic-tasks
  • Improve not to insert unnecessary line-feed or space in "Convert to Linefeed".
  • Log to STDERR when MT::Util::Log is not set.
  • Add PurePerl Digest::SHA、Digest::MD5 modules for fallback.
  • Log removing a file at rebuilding.
  • Support PHP 7.4
  • Enable DBHost with Oracle.
  • Enable "requiresslreuse=YES" in Content Sync.
  • Support Emoji, with utf8mb4 of MySQL / MariaDB.

Updated Functions

  • Remove composer.json and composer.lock from the MT package.
  • The default email encoding is changed to UTF-8.
  • Remove DjDT modules used in debug mode.
  • Update several Perl modules in extlib
  • The file list of Content Sync is not included when exporting a site.
  • The first frame of Animation GIF is used as a thumbnail.
  • Remove ezsql.
  • Update ADOdb to 5.20.16
  • Update Smarty to 3.1.31.
  • Update Image::ExifTool to 11.85.
  • Remove some ping update services that were closed.
  • Remove unnecessary method definition in Group feature.
  • Remove unnecessary codes from a list of templates.

Resolved Issues

Security Fixes and Improvements

  • Fix XSS in __mode=rebuild. (CVE-2020-5575)
  • Fix CSRF in _mode=startrebuild. (CVE-2020-5576)
  • Fix XSS in template list. (CVE-2020-5575)
  • Fix CSRF via Sign-In page. (CVE-2020-5576)
  • Fix not to upload a double extension PHP file. (CVE-2020-5577)
  • Fix an open redirect issue in __mode=recover. (CVE-2020-5574)
  • Fix XSS in _mode=startrebuild. (CVE-2020-5575)


  • Unlist some OpenID providers that were obsolete.
  • Fix not to show an alert at creating a site.
  • Fix to update the file information correctly in Content Sync.
  • Fix an error at sorting child sites in the site list of the System.
  • Fix links of DBMS module in mt-wizard.cgi.
  • Fix not to show jQuery alerts.
  • Fix some MT tags in preview mode.
  • Fix sort order of the list of users in system view.
  • Fix to store iframe in embed object of Custom Field.
  • Remove unnecessary spaces in the error message of Database Setting.
  • Fix an item name of pull down menu of cell attribution of Table Feature For TinyMCE.
  • Fix to check uniqueness of Role name.
  • Fix to allow the role of "managing web pages" to create a new folder.

Features to be deprecated in the next or future release

  • Remove TypeKey related modules and functions.
  • Remove Motion Plugin
  • Remove OpenID Plugin
  • Remove Crypt code from MT Core.
  • Deprecate MT::Util::perlsha1digest(_hex)
  • Deprecate Update Ping

Please check it at:

- username: demo
- password: testthis


No TrackBacks

TrackBack URL:

Leave a comment


If this initiative is useful for you, please consider making a paypal donation or getting your movable type project done with PRO IT Service.

We're the right people for movable type consultancy services including: installations, upgrades, themes, templates, consulting, troubleshooting as well as hosting.

The complete range of movable type services you might be looking for!


We would love to work on any movable type jobs you might have! To find out more about the movable type services we're offering click here.

You may like to know that we're offering a broad range of web development services as well as professional website hosting service in partnership with Pair Networks, Inc. from Pittsburgh, PA, USA.

Check out everything we're proudly doing by visiting


Would you like to be updated every time there is a movable type release? If you do, then subscribe for email updates filling out the form below.


Delivered by FeedBurner


This is a personal website and doesn't have anything to do with Six Apart nevertheless Chris Alden, the former Six Apart CEO, appreciated my idea when he saw it available online.