Movable TypeSix Apart have announced an important security update recommended to all of its Movable Type (MT) users. Additionally, the new MT 3.35 -- or MT 1.53 Enterprise -- features an easier download and install process including the use of a wizard for first timers. First and foremost, this release fixes the cross-site scripting (XSS) vulnerability that was found in the comment preview code. Specifically, default templates have been modified to include the encode_html="1" attribute to properly escape user submitted data found in the "Comment Preview" system template. Users are required to apply this fix manually to any pre-existing blog they may have in their system. The instructions, from Six Apart:
  1. Login to Movable Type
  2. From the System Overview, click "Search and Replace" located in the right hand navigation menu.
  3. From the search screen, click on the "Templates" tab.
  4. Conduct a search for <$MTCommentPreviewAuthor$>
  5. From the search results page, select the "Search and Replace" radio button
  6. In the "Replace:" text field enter the following: <$MTCommentPreviewAuthor encode_html="1"$>
  7. Select all the templates displayed in the search results by clicking the checkbox next to each one.
  8. Click the "Replace Checked" button.
  9. Repeat steps 4-8 replacing <$MTCommentPreviewEmail$> with <$MTCommentPreviewEmail encode_html="1"$>
  10. Repeat steps 4-8 replacing <$MTCommentPreviewURL$> with <$MTCommentPreviewURL encode_html="1"$>
Although this vulnerability affects a small percentage of MT users, it is a nasty bug and should be fixed ASAP. Other fixes include the following: * Fixed broken help links -- Fixed an invalid documentation link found on Movable Type's "Log in to Movable Type" index.html page. * Fixed MTDate tags to display correct timestamp under daylight savings -- MTDate tags now publish properly adjusting for DST when using the "utc" attribute. * SQLite BerkeleyDB to MySQL migration script fixed -- Using the mt-db2sql.cgi and convert-db scripts to migrate from either BerkeleyDB or SQLite (respectively) to a SQL database may have resulted in garbled data. The bug has been fixed. * 48741: convert-db sometimes garbles characters -- Using convert-db to migrate from SQLite to SQL database may have resulted in garbled data. The bug has been fixed. * Increased the size of "template_name" column -- The length of the template name column has been increased to support the additional space that many localizations may need. To compete with the other enterprise blogging platforms out there, (*cough* such as WordPress) MT has made the download and install easier for the first timer. The MT product download now doesn't require too much hunting nor does it require the user to have a TypeKey account. Taking ease of install one step further, first time users will now be presented with the Movable Type Setup Wizard which will help them configure the platform on their web server. It asks them a few questions and then takes care of the rest, thus reducing the barrier to entry. Keep an eye on this space as the players continue to seek out new users, and work to keep both the hackers and the spammers at bay.