« Happy New Year | Main | Casino Royale »

جمعہ 5 جنوری 2007Friday, January 05, 2007

Movable Type Security Bug

Last month, Jacques Distler brought to my attention that Movable Type 3.3 had a script injection problem. Basically, any Javascript entered in a comment would not be sanitized and would appear on the blog. For example, try typing this in the comment form:

<script type="text/javascript">alert('hi!');</script>

It looked like Movable Type was no longer sanitizing comments, which it did until version 3.2.

Since both our installations were heavily modified, we were not sure whether it was due to our code modifications or an inherent Movable Type problem. I checked at a number of other weblogs and found out that script injection was a problem at some but not at others.

I brought this bug to the attention of Six Apart, the company that makes Movable Type immediately. They confirmed the issue and clarified that it affected only those users who had disabled the nofollow plugin distributed with MT 3.33. They also asked me for 30 days before making the issue public so that they could work on a fix.

While there has not been any announcement by Six Apart on this matter, I expect that they would fix it in the bugfix release 3.34 currently being worked on in their code repository.

Meanwhile, if you are using Movable Type 3.3, here are your options. If you have the nofollow plugin enabled (which it is by default), you shouldn’t have a problem. Otherwise:

  1. Enable the nofollow plugin.
  2. Edit your templates by adding sanitize="1" to the MT comment tags, like this:
    <MTCommentBody sanitize="1"> and <MTCommentPreviewBody sanitize="1">.

UPDATE: It looks like the sanitize function is completely disabled when you disable the nofollow plugin as it isn’t sanitizing my entry text either.

UPDATE II: Movable Type 3.34 fixes the problem.

Tags: movabletype

Posted by Zack at January 5, 2007 12:00 PM in Internet

Related Entries

Advertisements

Trackback Pings

TrackBack URL for this entry:
http://www.zackvision.com/mt/zv-trbk.cgi/1044

Listed below are links to weblogs that reference Movable Type Security Bug:

» Full Disclosure from Musings
A serious MovableType security vulnerability. [Read More]

Tracked on January 6, 2007 2:54 AM

» [IT-26] Movable Type is out of date from JIRA: IT
null According to the front pages of Nature blogs, they're still "powered by Movable Type 3.2". If this is really the case, they need to be upgraded as soon as possible, as old versions of Movable Type have numerous security vulnerabilities that leave... [Read More]

Tracked on February 21, 2007 12:37 PM

Comments

It looks like the sanitize function is completely disabled when you disable the nofollow plugin as it isn’t sanitizing my entry text either.

I don’t believe your entry text ever got sanitized. Presumably, you (the blog owner) can be trusted.

Posted by: Jacques Distler (10 comments) at January 5, 2007 7:42 PM | PGP Sig

Jacques: You are probably correct.

Six Apart have fixed this bug in their latest beta.

Posted by: Zack (1792 comments) at January 7, 2007 8:01 PM | PGP Sig

If you have a custom installation as me and still using 3.3 you should also add MTCommentAuthorLink sanitize=”1” to your templates.

Posted by: prepagate (1 comments) at June 20, 2007 11:03 AM

Has this bug still not been dealt with ?

Posted by: Lily (1 comments) at December 8, 2007 1:32 AM

Lily: It was fixed in version 3.34.

Posted by: Zack (1792 comments) at December 15, 2007 11:10 PM

Post a comment

Note: Disagreements are welcome, but please keep it civil. Any comments full of hatred, bigotry, trolling or spam will be deleted and the commenter banned. Do read the commenting policy.

Valid XHTML: You have to preview your comment to make sure that it is valid XHTML 1.1. You will see the "Post" button on the preview page.

Urdu: To comment in Urdu, include "p[ur](urdu). " (with a space at the end and without the quotes) at the start of every Urdu paragraph. If you want to write an Urdu word(s) in an English paragraph, do it like this: %[ur](urdu)اردو%. If you want to put an English word(s) in an Urdu paragraph, write it like this: %[en](en)English words%.

PGP Signing: PGP-signed comments are encouraged. However, clearsigning Urdu text with GPGshell produces garbage.

MathML: Select the Textile with itex to MathML text filter. What you'll use is itex, which is a superset of WebTeX and differs somewhat from standard LaTeX.

Text Filters: For regular comments, whether in English or Urdu, keep the text filter setting to its default of Textile 2. Change it to Textile with itex to MathML when writing MathML.




Remember Me?