Alert Concerning XMLRPC API Vulnerability in Movable Type

A new XMLRPC vulnerability in Movable Type (Japanese article), which caused a number of web tampering incidents at the school last year, has been discovered again.

To prevent web tampering as has occurred frequently in the past, you must take one of the following two measures.

• Update Movable Type to the latest version.
• Take the measures described in "Workaround for cases where updates cannot be performed" at the URL above.

Between these two measures, the latter, applying Workaround, is recommended unless the XMLRPC function is used on that site. If you applied this workaround instead of an update when the previous problem occurred, you do not need to take any new action regarding this vulnerability.

Although it may take some time to perform the update, the method described in the "What to do if the update cannot be performed" section on the above Web page can be performed in a very short time. If you are unable to update immediately, please take the measures described in "What to do if the update cannot be performed" first, and then consider updating the software. While waiting for the update, the site may be attacked and tampered with. If you have outsourced the management of your site, please be sure to inform us of this.

If you are unsure of the current status, please check with the contractor to whom you have outsourced the management of your system and contents. If you have not signed a contract for maintenance or other services since the website was launched, please contact the CSIRT with the documents from when the website was launched.

Thank you for your cooperation.