Recently in Security Category

I recently encountered a bug in Movable Type where uploading a certain image failed with the message "Saving (filename) failed: Invalid image file format". Some digging led me to the file lib/MT/Image.pm where the uploaded image was failing a check.  This was in MT4, but some older versions of MT5 can also have this happening.  So, what is going on?
The official announcement is here.  The upgrade is mandatory if you want to keep up with security fixes.  Note: it looks like this update is not just a simple drop-in-and-run-the-upgrader affair, but there are changes to several javascript and other templates as well.  If you are (mostly) using the default templates this should be quite easy to deal with by refreshing the templates in question.  If you are using customized versions of these templates it looks like you need to do some manual editing to avoid comments etc. breaking on the new version.

Melody 1.0.2 Released

| 2 Comments | No TrackBacks |
It is not announced on the Open Melody blog yet, but Open Melody 1.0.2 is out.  This is a critical maintenance update containing the security fixes recently applied to Movable Type.  Release notes are here, download is here.
If you are running Movable Type and you have users on your system you can't completely trust, you urgently need to update to the latest version, says Six Apart in an announcement this morning.  They specifically mention that this release fixes an issue where:
Under certain circumstances, a user who has "Create Entries" or "Manage Blog" pemissions may be able to read known files on the local file system.
That is bad, as it would allow a potential attacker to read things like configuration files etc. which may contain passwords or other sensitive information.
Six Apart has released updated versions of Movable Type containing several security fixes (and a few other bugfixes as well).  Release notes are here.  It is highly recommended to install these updated versions, as they patch a number of vulnerabilities of the type that got PBS.org hacked through a Movable Type 0day exploit last week.  As always, don't just upgrade, but make sure your installation is properly secured as well.
Anyone using the MT Cumulus plugin to generate a flash-based tag cloud, take heed: there is a security vulnerability in the flash part of this plugin that allows script injection attacks.  If you are using this plugin, it is probably better to remove it for now until an update becomes available, and to rely on Movable Type's built-in HTML-based tag cloud widget.
After the recent hacking of PBS.org (most likely caused by a 0day exploit in an older version of Movable Type 4), it is probably a good idea to review the security of your Movable Type installation.  To help you, we compiled this list of ten security tips, with help from the engineers at Six Apart Japan.
Hacker group LulzSec announced they hacked and defaced PBS.org, and claimed:
PBS.org was owned via a 0day we discovered in mt4 aka MoveableType 4
This comes just days after Six Apart announced a security upgrade for all Movable Type versions.  The most likely scenario is that someone reverse-engineered the security fixes to discover which vulnerabilies were patched and then exploited them.