4.35 Security Update

GooglebotMovable Type has several notable features, such as the ability to host multiple weblogs and standalone content pages, manage files, user roles, templates, tags, categories, and trackback links.

The application supports static page generation, dynamic page generation, or a combination of the two techniques. Movable Type has a really clever user interface so when you log on to the back end you’ll arrive on the landing page *duh* where they’ve integrated their blog. It immediately shows the latest news which is great because it caught my eye the moment I logged on.

It wasn’t the heading that caught my eye but something a bit further down the page. It read: ‘Movable Type 5.04 and Movable Type 4.35 were released today. These are mandatory security updates for all users. These updates resolve multiple vulnerabilities discovered in MT5.x and MType 4.x.’. The important bit read:

Impact A remote attacker could execute arbitrary code in a logged-in users’ web browser.

It made me chuckle when I read the next sentence: ‘A remote attacker could read or modify the contents in the system under certain circumstances.’ It’s exactly what happened on my domain a few months ago. My website had been pirated while I wasn’t paying attention, my content and blog posts had turned into a mess of millions of links. How did I discover? Well, by checking my statistics. I’d noticed that Googlebot had gone mental scanning my website for hours/days instead of minutes.

So when I checked what it had been scanning so vigorously I noticed unfamiliar weird urls and when I finally checked my website I saw that all my content had been replaced with clever code. The source however was a folder that had appeared out of nowhere with at least 200 html files in it and some malicious code that I’d discovered. So I deleted everything and made sure my installation was clean. After I went looking on the net to see if others had had the same issue and if there was more info available but I found only one similar case mentioned on the MT Forums and no one could really tell what was going on…

It was two months later that MT posted their security update and that’s why it made me chuckle when I read about the possible ‘impact’ ;) I’ve updated it tonight so let’s see if it will work this time and I’ll make sure to keep an eye on my statistics in the meantime… *hehe*