Not a developer? Go to MovableType.com

News

Movable Type 4.38 patch to fix a known upgrading security issue

By Takeshi Nick Osanai
Posted January 7, 2013.

Six Apart has found a security issue and fixed it in Movable Type 4.2 and MT 4.3. For those of you who use Movable Type 4.2 and 4.3, Six Apart strongly recommends that you upgrade to the latest released version of Movable Type or execute the following steps immediately. This vulnerability does not exist in Movable Type versions 5.0 or later, including the latest Movable Type, version 5.2.2.

The Issue

Through the upgrade program of MT (mt-upgrade.cgi), OS command injection and SQL injection can be performed, and potentially open a vulnerability. This issue may occur when mt-upgrade.cgi can be executed on the Internet.

Versions affected

  • Movable Type 4.2x, 4.3x
  • Movable Type Open Source 4.2x, 4.3x
  • Movable Type Enterprise 4.2x, 4.3x

The Fix for Movable Type 4.38 users

Six Apart will provide the patch code file for Movable Type 4.38 users. Please download and unzip the patch code file. Download "lib / MT / Upgrade.pm" file from Movable Type in use for backup. Then, upload unzipped Upgrade.pm, and replace it.

The Fix for those who cannot apply the patch code file (users who do not use Movable Type 4.38)

Those who cannot use the patch code file, please execute one of the following solutions.

  • Remove the read permission and execute permission from mt-upgrade.cgi, so that external users on the Internet will not be able to run the mt-upgrade.cgi.
  • Or delete the mt-upgrade.cgi.

Since Six Apart has already terminated the support of Movable Type 4.2x, we strongly recommend upgrading to the latest version of Movable Type 5.2.2. If you are concerned with any issues resulting from the implementation of this patch, please test this in a development environment first.

Back

5 Comments

Bill

Bill on January 7, 2013, 10:02 p.m. Reply

After copying this patch file to our servers do we need to do anything else, like rebuild our sites?

Takeshi Nick Osanai

Takeshi Nick Osanai on January 7, 2013, 10:04 p.m. Reply

Dear Bill, No, you do not need to do anything else.

wgeorge

wgeorge on January 8, 2013, 12:41 p.m. Reply

Takeshi

I would like to point out that this is not a patch, but a patched file.

And do you have any jira or other bug numbers that tells us exactly what is being patched here?

Just wondering,

Bill George Advance Digital

Takeshi Nick Osanai

Takeshi Nick Osanai on January 9, 2013, 6:49 p.m. Reply

wgeorge,

Because this is a security issue, we filed the case as an internal one. Sorry for the inconvenience, but please understand our intention.

Also thank you for pointing out.

Estor Nimphard

Estor Nimphard on April 9, 2013, 7:09 a.m. Reply

Thank you for the correction regarding the security flaw, it is rather welcome.

On MT, I’m french and I try to implement in the process of the websites that we create from now on in our agency. Hoping I was right to trust MT!