« MT Forum - Integrated Forums for Movable Type | Main | Remote Comments Schema »

Important Fast Search Security Update

A new version of the Fast Search plugin for Movable Type is available.

The new version is a very important security update, and I recommend that all sites install the new version as soon as possible.

The primary issue that has been fixed was a security bug in which a malicious person could insert HTML or javascript into your search results pages by modifying the query string. Please note that this does not affect regular user searches or tag searches, but rather search results pages that spammers have linked to from external web sites.

Other fixes include a pagination issue that was affecting certain users (in which the page numbers were inaccurate), and a fix for the tag_dir argument when the blog was not at the root off the domain.

You can download the new version from the links below:

Download Now

Fast Search 2.22 for MT4+:
Download Now
Downloads: 3091 (since 3/6/07)

Fast Search 2.092 for MT3.2 and 3.3:
Download Now
Downloads: 3091 (since 3/6/07)

If you have previously purchased the Pro version, you should have by now received an email with a download link. If not, please contact me.

Rate this entry:

  • Currently 4.1/5
  • 1
  • 2
  • 3
  • 4
  • 5
Rating: 4.1/5 (241 votes cast). Powered by the Ajax Rating plugin.

Comments (13)

arindam:

hi,
i just installed fast search on a couple of my blogs. using the dfault template. it does not appear to be picking up the MTSearchString variable. however it is seeing other mt tags such as the blogname etc.

any ideas why.

arindam:

if it helps, i did come across this mt4 dynamic publishing bug post http://mt-hacks.com/20071214-dynamic-publishing-bug-in-mt4.html

rebuilding mtview.php didnt help either.
how do i check to ensure dynamic publishing is working? could this be an issue with the server not allowing rewrites?

I'm sure this used to work, but for some reason I can no longer search for words three characters or under - I've tried switching between fulltext and fallback modes but with no joy :(

Hi.

We're trying out FastSearch to see if we can use it on our new blog I'm setting up. It looks cool - is really fast and working in PHP is so much easier - BUT, it spits out a bunch of irrelevant tag results.

We're getting entries coming up that aren't tagged with the selected tag. We're also getting duplicate entries in the search results. It doesn't seem to be missing any tagged entries - it's just giving us a bunch of extra results.

Any ideas what might be causing this?

Matthew Fries:

I found out what is going on.

Your tag search is searching both entries and assets without differentiating between them.

1. It looks for a tag that matches in the mt_tag table.

2. It looks in the mt_objecttag table for matching objecttag_tag_id

3. You then return all the objecttag_object_id records that match - whether they are entries or assets

The problem is, assets and entries can use the same id since they are in different tables. So I'm ending up with entry results that are based on an asset's id - hence unrelated and duplicate entries. I'm not finding anything in your documentation that explains if/how you can restrict the results to entries.

That's going to come in very handy when I'm experimenting

Matthew:

There's apparently a bug in MT 4.25 that mixes up tags for assets and entries as well. Maybe connected? Supposed to be addressed in a future update...

I'm sure this used to work, but for some reason I can no longer search for words three characters or under - I've tried switching between fulltext and fallback modes but with no joy

http://www.t7b.com/dlil

hi,
i just installed fast search on a couple of my blogs. using the dfault template. it does not appear to be picking up the MTSearchString variable. however it is seeing other mt tags such as the blogname etc

http://www.t7b.com/dlil/show80156.html

Jim Author Profile Page:

MT Template code (mt:EntryPostType) produces Smarty error in Tag Search Results.

Anyone find a work around (besides removal)?

Jim Author Profile Page:

OK - I guess that was a bad post - I get the Smarty error:

MT 4.31 Pro
Visitors Stats 2.2Pro

Rik Author Profile Page:

I've moved a blog using MT-FastSearch to a new webhost, but it's giving me this error with searches:
Function eregi() is deprecated

I'm using FastSearch 2.22 w/ MT-4.24 on a system with PHP 5.3.0.

Rik Author Profile Page:

If anyone else had the same problem - make this change in plugins/FastSearch/php/block.mtsearchresults.php:

line 27: eregi('^[0-9]+(,[0-9]+)*$'
becomes
preg_match('/^[0-9]+(,[0-9]+)*$/i'

line 53: eregi('^[0-9]+(,[0-9]+)*$'
becomes
preg_match('/^[0-9]+(,[0-9]+)*$/i'

Dunno if this occurs anywhere else in the plugin, but this was enough to at least get search results out of it.

Post a comment