## January 25, 2005

### Another MT Mail Exploit.

The MovableType Comment/Trackback/… system (which uses email to notify the blog owner of newly posted comments/trackbacks) is vulnerable to being exploited by spammers. (Surprised?)

Update now, before the spammers get around to your blog.

Posted by distler at January 25, 2005 2:20 AM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/499

### Re: Another MT Mail Exploit.

While I did remember the existence of the mt-send-entry.cgi problem, I’d rather forgotten the details until I reread your entry and saw that first proposed patch.

So, shall we assume that now everything has been looked at carefully, and everything goes through the patched is_valid_email, or shall we look ourselves?

Posted by: Phil Ringnalda on January 25, 2005 11:16 AM | Permalink | PGP Sig | Reply to this

### Re: Another MT Mail Exploit.

I have not done a code-read, so I don’t know what’s changed, let alone whether the changes are sufficient to ward off a more clever miscreant. Installing MT 3.15 was a hasty late-night affair, and I have not had a chance to look further.

Posted by: Jacques Distler on January 25, 2005 4:04 PM | Permalink | PGP Sig | Reply to this

Post a New Comment