Movable Type Security Bug

Movable Type 3.33 has a script injection bug if the nofollow plugin is disabled. Comment text is no longer sanitized as it should be.

Last month, Jacques Distler brought to my attention that Movable Type 3.3 had a script injection problem. Basically, any Javascript entered in a comment would not be sanitized and would appear on the blog. For example, try typing this in the comment form:

<script type="text/javascript">alert('hi!');</script>

It looked like Movable Type was no longer sanitizing comments, which it did until version 3.2.

Since both our installations were heavily modified, we were not sure whether it was due to our code modifications or an inherent Movable Type problem. I checked at a number of other weblogs and found out that script injection was a problem at some but not at others.

I brought this bug to the attention of Six Apart, the company that makes Movable Type immediately. They confirmed the issue and clarified that it affected only those users who had disabled the nofollow plugin distributed with MT 3.33. They also asked me for 30 days before making the issue public so that they could work on a fix.

While there has not been any announcement by Six Apart on this matter, I expect that they would fix it in the bugfix release 3.34 currently being worked on in their code repository.

Meanwhile, if you are using Movable Type 3.3, here are your options. If you have the nofollow plugin enabled (which it is by default), you shouldn’t have a problem. Otherwise:

  1. Enable the nofollow plugin.
  2. Edit your templates by adding sanitize="1" to the MT comment tags, like this:
    <MTCommentBody sanitize="1"> and <MTCommentPreviewBody sanitize="1">.

UPDATE: It looks like the sanitize function is completely disabled when you disable the nofollow plugin as it isn’t sanitizing my entry text either.

UPDATE II: Movable Type 3.34 fixes the problem.

Author: Zack

Dad, gadget guy, bookworm, political animal, global nomad, cyclist, hiker, tennis player, photographer

8 thoughts on “Movable Type Security Bug”

  1. It looks like the sanitize function is completely disabled when you disable the nofollow plugin as it isn’t sanitizing my entry text either.

    I don’t believe your entry text ever got sanitized. Presumably, you (the blog owner) can be trusted.

  2. [IT-26] Movable Type is out of date

    null According to the front pages of Nature blogs, they’re still “powered by Movable Type 3.2”. If this is really the case, they need to be upgraded as soon as possible, as old versions of Movable Type have numerous security vulnerabilities that leave…

  3. If you have a custom installation as me and still using 3.3 you should also add MTCommentAuthorLink sanitize=”1” to your templates.

Comments are closed.