Security Update: Movable Type 5.12, 5.06, and 4.37 Released

| 1 Comment | No TrackBacks |
If you are running Movable Type and you have users on your system you can't completely trust, you urgently need to update to the latest version, says Six Apart in an announcement this morning.  They specifically mention that this release fixes an issue where:
Under certain circumstances, a user who has "Create Entries" or "Manage Blog" pemissions may be able to read known files on the local file system.
That is bad, as it would allow a potential attacker to read things like configuration files etc. which may contain passwords or other sensitive information.
However, if you are the only author on the system and you haven't set up Movable Type to allow newly registered users to get these permissions anywhere, you should be pretty safe it seems.

Anyway, the relese notes for this update can be found here.

They also make a reference to an issue in MT5.1x:

106303 Published URL was changed after upgrading to 5.1x

This link does not work for me, but I believe it is a reference to this issue discussed on the forums recently.  In short, entries that had double dashes in their title were getting a different published URL under MT5.11, and this change seems to have been reverted in MT 5.12.

No TrackBacks

TrackBack URL:

1 Comment

There's a kindle ebook "Blogging with Movable Type" that gives a good introduction to Movable Type for beginners available on Amazon. Helped me to get some things sorted.

Leave a comment