Movable Type just issued a security update that should be applied to any movable type version since Movable Type v3.2
Basically, in affected versions of Movable Type, there are certain circumstances in which a blog template may be rendered dynamically via CGI in an otherwise static publishing context. If you use Movable Type to publish PHP files (or JSP or ASP pages) and have embedded within your Movable Type templates sensitive information (such as database connection information), then that sensitive information could potentially be exposed and viewed publicly.
Detailed Security Issue Description:
When a script is executed on a web server it can only be processed by a single interpreter (e.g. Perl, PHP, Java, etc). In other words, a perl script cannot output PHP code that can then subsequently be processed by the PHP interpreter later in the request chain. Scripts should therefore only output content intended for a browser.
In Movable Type this may pose a problem when the Individual Entry Archive template is used to output static PHP (or JSP, ASP, etc) files to the file system. In the event that these templates are processed dynamically and displayed via a CGI then the server side code that they contain will become visible to the outside world. This can only occur when the Individual Archive Template is used to display comments dynamically.
There is an additional script in use by a very small number of users called mt-view.cgi which exhibits a similar behavior.
Generally speaking, this in and of itself may not pose a security threat, unless of course your templates output sensitive information intended to be processed by the server only, such as a database connection information or other sensitive information.
The Six Apart engineers issued updates for the following products:
- Movable Type v3.2
- Movable Type v3.3x (issued v3.36)
- Movable Type v4.x (issued v4.01a)
- Movable Type Enterprise
- Movable Type Community Solution
- Movable Type Enterprise Solution
PRO IT Service is glad to be offering you a professional movable type upgrade service and protect your weblog from any potential security risks
If you are interested on having one of our engineers handle your movable type upgrade just drop us a line using the contact form or if you see us online, the instant messaging platform from the side column
For the official announcements you may like to refer to: http://www.movabletype.com/blog/2008/01/movable-type-security-update.html
Posted by Mihai Bocsaru on January 17, 2008
Permalink | Comments (0)