Movable Type 3.33, and associated FTP problems

Movable Type 3.3 badge-type thingSix Apart have just released a new version of Movable Type (3.33) which contains several patches for a bunch of potentially nasty security holes. Given the problems I had upgrading to 3.3 in the first place, I wasn’t exactly relishing the idea of another install, but security comes first.

And, just like last time: HTTP 500 server errors as soon as I tried to log back in afterwards.

It looks like my problem isn’t related to Movable Type at all, though, but instead to the FTP upload process. I had grabbed the .zip version of the movable type package, unzipped it locally, and then uploaded all the individual files to my web server. My FTP client is FileZilla, and the server is running NcFTPd. With FileZilla set to use multiple simultaneous connections (for a faster upload) it would occasionally transpose the contents of two files.

This is very ungood. Not only does this lead to the obvious failure situation where an app doesn’t work because its internals are screwed up (the HTTP 500 server errors I was seeing), but there’s also the possibility of a silent failure, where everything still appears to work, but all is still not well. For example, a file containing passwords could be swapped with a simple HTML file so that they become publicly readable (and Google-able).

Curiously, the transposing of files doesn’t seem to be entirely random. When I first noticed the phenomenon, I tried re-uploading the pair of files that had been switched, and they ended up switched again. It was only when I dropped back to using a single connection (menu: Queue -> Use multiple connections) that the upload worked properly.

A quick search on Google showed that although this is uncommon, it’s not an entirely unknown problem. A few people have mentioned this happening with FileZilla (here and here, for example), but this also seems to be an occasional problem with CuteFTP, too: see this forum post.

The fact that the problem shows up on multiple clients makes me wonder if it’s the server that’s at fault. Alternatively, both CuteFTP and FileZilla could be using a very similar, but subtly wrong piece of code to do multiple simultaneous uploads. Very curious. But at least knowing what has gone wrong will make me feel much more at ease when the next MT upgrade comes around.

4 Replies to “Movable Type 3.33, and associated FTP problems”

  1. If you’re still on 3.2, Six Apart have provided a set of patch files to fix your installation, so you don’t need to move up to 3.3 yet.

    From an email on the Sixapart Pronet mailing list (emphasis mine):

    All of the discovered vulnerabilities are of the cross-site scripting (XSS) variety and affect Movable Type 3.3x and MT Enterprise. Additionally, some affect MT 3.2 and one is believed to affect all previous versions of Movable Type.

    Although all vulnerabilities can be used to gain access to an installation,
    none of them have yet been used in a malicious way to our knowledge.

    I’ve seen a bunch of javascriptified comments hitting my blog over the last week or so. I reckon that patching your installation now would be a really good idea.

  2. After 3 attempts I’ve got the upgrade working. I had 500 errors on my very first install, that turned out to be an extra line needed in some CGI files as I had a Windows server. This time a little different.

    Good old 500 errors, but it was me that had gone wrong. After uploading (3 times) making sure I was in ASCII mode, I had tried to point my browser to the new install. The HTML worked, but the first CGI came back 500. It was me being over cautious that I was wanting to make sure the scripts were loading before I went to the next step that actually caused my problems. I was getting the 500s not through dodgy uploads, but incorrect file permissions.

    Set those, and it all worked at the first attempt.

    Learningmovabletype website has been invaluable.

  3. I went through this just 2 weeks ago. I had the same problems you described, but instead of using my head, I did a sql/template backup, wiped everything, installed 3.3 and imported the old Db.

    My site was started on 2.something, and had been upgraded up to 3.0 – it didn’t want to go any further and everything still work.

    I didn’t realize I was having the stupid permission error until I had already done the damage… but I learned a lot more about MT and how it functions. 3.3 is nice! Widgets make perfect sense, the templates are organized better and the spam control is almost ideal.

Comments are closed.