Continue reading "Invalid image file format" Error in Movable Type.
| CARVIEW |
Select Language
HTTP/1.1 301 Moved Permanently
Date: Tue, 30 Dec 2025 03:59:14 GMT
Server: Apache/2.4.25 (Debian)
Location: https://www.movabletips.com/security/
Content-Length: 331
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 200 OK
Date: Tue, 30 Dec 2025 03:59:14 GMT
Server: Apache/2.4.25 (Debian)
Accept-Ranges: bytes
Vary: Accept-Encoding
X-Mod-Pagespeed: 1.12.34.2-0
Access-Control-Allow-Origin: *
Content-Encoding: gzip
Cache-Control: max-age=0, no-cache, s-maxage=10
Content-Length: 9786
Content-Type: text/html; charset=UTF-8
Movable Tips: Security Archives
YesItCan.be
Movable Tips
I recently encountered a bug in Movable Type where uploading a certain image failed with the message "Saving (filename) failed: Invalid image file format". Some digging led me to the file lib/MT/Image.pm where the uploaded image was failing a check. This was in MT4, but some older versions of MT5 can also have this happening. So, what is going on?
The official announcement is here. The upgrade is mandatory if you want to keep up with security fixes. Note: it looks like this update is not just a simple drop-in-and-run-the-upgrader affair, but there are changes to several javascript and other templates as well. If you are (mostly) using the default templates this should be quite easy to deal with by refreshing the templates in question. If you are using customized versions of these templates it looks like you need to do some manual editing to avoid comments etc. breaking on the new version.
It is not announced on the Open Melody blog yet, but Open Melody 1.0.2 is out. This is a critical maintenance update containing the security fixes recently applied to Movable Type. Release notes are here, download is here.
If you are running Movable Type and you have users on your system you can't completely trust, you urgently need to update to the latest version, says Six Apart in an announcement this morning. They specifically mention that this release fixes an issue where:
Six Apart has released updated versions of Movable Type containing several security fixes (and a few other bugfixes as well). Release notes are here. It is highly recommended to install these updated versions, as they patch a number of vulnerabilities of the type that got PBS.org hacked through a Movable Type 0day exploit last week. As always, don't just upgrade, but make sure your installation is properly secured as well.
Anyone using the MT Cumulus plugin to generate a flash-based tag cloud, take heed: there is a security vulnerability in the flash part of this plugin that allows script injection attacks. If you are using this plugin, it is probably better to remove it for now until an update becomes available, and to rely on Movable Type's built-in HTML-based tag cloud widget.
After the recent hacking of PBS.org (most likely caused by a 0day exploit in an older version of Movable Type 4), it is probably a good idea to review the security of your Movable Type installation. To help you, we compiled this list of ten security tips, with help from the engineers at Six Apart Japan.
Hacker group LulzSec announced they hacked and defaced PBS.org, and claimed:
Tips, tricks and hints for all your Movable Type needs, shared by Maarten Schenk
Recently in Security Category
Continue reading Six Apart Releases Movable Type 5.13, 5.07, and 4.38 Security Updates.
Under certain circumstances, a user who has "Create Entries" or "Manage Blog" pemissions may be able to read known files on the local file system.
That is bad, as it would allow a potential attacker to read things like configuration files etc. which may contain passwords or other sensitive information.
Continue reading Security Update: Movable Type 5.12, 5.06, and 4.37 Released.
Continue reading 10 Tips for Securing Your Movable Type Installation.
This comes just days after Six Apart announced a security upgrade for all Movable Type versions. The most likely scenario is that someone reverse-engineered the security fixes to discover which vulnerabilies were patched and then exploited them.PBS.org was owned via a 0day we discovered in mt4 aka MoveableType 4
Continue reading PBS.org Hacked, or Why It Is Important to Keep Movable Type Updated.
Movable Type Help?
"Can my Movable Type issue or project be taken care of by a professional?"
Contact YesItCan.be
Contact YesItCan.be
Search
Elsewhere
Categories
Most Retweeted Entries
Tag Cloud
Monthly Archives
- October 2013 (2)
- September 2013 (1)
- July 2013 (1)
- June 2013 (2)
- March 2013 (1)
- January 2013 (2)
- December 2012 (2)
- November 2012 (4)
- October 2012 (4)
- September 2012 (3)
- August 2012 (2)
- July 2012 (1)
- June 2012 (3)
- May 2012 (1)
- April 2012 (2)
- March 2012 (4)
- February 2012 (2)
- January 2012 (3)
- November 2011 (1)
- October 2011 (2)
- September 2011 (2)
- August 2011 (4)
- July 2011 (5)
- June 2011 (14)
- May 2011 (9)
- April 2011 (7)
- March 2011 (5)
- February 2011 (5)
- December 2010 (2)
- November 2010 (1)
- October 2010 (7)
- September 2010 (8)
- August 2010 (2)
- July 2010 (5)
- June 2010 (8)
- May 2010 (8)
- April 2010 (7)
- March 2010 (11)
- February 2010 (18)
- January 2010 (4)
- December 2009 (4)
Powered by Movable Type Pro