Movable Type 5.13, 5.07, and 4.38 Security Updates

半年来, MT 第一次升级。 依然延续三个主支版本: 4.3x , 5.0x , 5.1x 。
建议所有的 MT 用户升级,因为这次升级因为一些安全方面的漏洞。


5.13, 5.07, and 4.38 address the multiple vulnerabilities including:

  • OS Command Injection exists in the file management system, the most serious of which may lead to arbitrary OS command execution by a user who has a permission to sign-in to the admin script and also has a permission to upload files.
  • Session Hijack and CSRF exist in the commenting and the community script. A remote attacker could hijack the user session or could execute arbitrary script code on victim's browser under the certain circumstances.
  • XSS exists in templates where the variables are not escaped properly. A remote attacker could inject client-side script into web pages viewed by other users.
  • XSS exists in mt-wizard.cgi. This vulnerability was reported by Trustwave (Trustwave's SpiderLabs Security Advisory TWSL2012-002)
另外:值得注意到是这次更新更新了 js 模板,所以升级的朋友请注意更新模板。主要受牵连的模板有 js 模板。 header 模板 和 评论表格 模板。。 还有一点小小的修改:

  • 1. 密码存储方式加强。 不再只用前8位加密,而是所有位数加密。 升级是自动档无干预的,但是引起的结果就是不能降级,虽然想安装后低版本,抱歉,请想办法重设密码。
  • 2. mt:Include file="XXX" 这样的结果被默认禁止了(很遗憾,这么模式我一直在用)。要想继续使用。请在 增加
    AllowFileInclude 1