Movable Type.org

Six Apart has found a security issue and fixed it in Movable Type 4.2 and MT 4.3. For those of you who use Movable Type 4.2 and 4.3, Six Apart strongly recommends that you upgrade to the latest released version of Movable Type or execute the following steps immediately. This vulnerability does not exist in Movable Type versions 5.0 or later, including the latest Movable Type, version 5.2.2.

The Issue

Through the upgrade program of MT (mt-upgrade.cgi), OS command injection and SQL injection can be performed, and potentially open a vulnerability. This issue may occur when mt-upgrade.cgi can be executed on the Internet.

Versions affected

• Movable Type 4.2x, 4.3x
• Movable Type Open Source 4.2x, 4.3x
• Movable Type Enterprise 4.2x, 4.3x

The Fix for Movable Type 4.38 users

Six Apart will provide the patch code file for Movable Type 4.38 users. Please download and unzip the patch code file. Download "lib / MT / Upgrade.pm" file from Movable Type in use for backup. Then, upload unzipped Upgrade.pm, and replace it.

• MT4.38-Upgrade-Patch.zip

The Fix for those who cannot apply the patch code file (users who do not use Movable Type 4.38)

Those who cannot use the patch code file, please execute one of the following solutions.

• Remove the read permission and execute permission from mt-upgrade.cgi, so that external users on the Internet will not be able to run the mt-upgrade.cgi.
• Or delete the mt-upgrade.cgi.

Since Six Apart has already terminated the support of Movable Type 4.2x, we strongly recommend upgrading to the latest version of Movable Type 5.2.2. If you are concerned with any issues resulting from the implementation of this patch, please test this in a development environment first.