Six Apart, the company developing Movable Type, has released updates for the popular blogging platform in order to patch a zero-day vulnerability used by hackers to break into the PBS.org website two weeks ago.
At the end of May, LulzSec, a hacker group that recently captured headlines with attacks against Sony and other companies, have hacked into the website of the Public Broadcasting Service (PBS) and posted fake news articles.
The hackers did this because they didn't like a WikiLeaks documentary that aired on PBS Frontline a day earlier.
In a post on its official blog, Six Apart admits working with PBS following the incident to determine how hackers managed to compromise its website which runs on Moveable Type.
The company has released mandatory security updates today across all branches — 4.0, 5.0 and 5.1 — in order to address the security issues exploited by LulzSec.
Users are strongly recommended to upgrade to Movable Type 5.11, 5.051, and 4.361, depending on what branch they use, the company stressed.
Changes include the addition of a blacklist and whitelist for uploaded files. These were implemented as two configuration directives called DeniedAssetFileExtensions and AssetFileExtensions.
The default value for DeniedAssetFileExtensions includes ascx, asis, asp, aspx, bat, cfc, cfm, cgi, cmd, com, cpl, dll, exe, htaccess, htm, html, inc, jhtml, js, jsb, jsp, mht, mhtml, msi, php, php2, php3, php4, php5, phps, phtm, phtml, pif, pl, pwml, py, reg, scr, sh, shtm, shtml, vbs, and vxd, which means these files types are not accepted for upload.
The vulnerability exploited by LulzSec might have been a remote file inclusion (RFI) one, however, a flaw patched in WordPress days before the group's attack, allowed attackers to upload and execute php files with media extensions (.gif or .jpg). Maybe this inspired the hackers to search for a similar one in MoveableType.
MoveableType 5.11, 5.051, and 4.361 can be downloaded from here.