Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

January 25, 2005

Another MT Mail Exploit.

The MovableType Comment/Trackback/… system (which uses email to notify the blog owner of newly posted comments/trackbacks) is vulnerable to being exploited by spammers. (Surprised?)

Update now, before the spammers get around to your blog.

Posted by distler at January 25, 2005 2:20 AM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/499

2 Comments & 0 Trackbacks

Re: Another MT Mail Exploit.

While I did remember the existence of the mt-send-entry.cgi problem, I’d rather forgotten the details until I reread your entry and saw that first proposed patch.

So, shall we assume that now everything has been looked at carefully, and everything goes through the patched is_valid_email, or shall we look ourselves?

Posted by: Phil Ringnalda on January 25, 2005 11:16 AM | Permalink | PGP Sig | Reply to this

Re: Another MT Mail Exploit.

I have not done a code-read, so I don’t know what’s changed, let alone whether the changes are sufficient to ward off a more clever miscreant. Installing MT 3.15 was a hasty late-night affair, and I have not had a chance to look further.

Posted by: Jacques Distler on January 25, 2005 4:04 PM | Permalink | PGP Sig | Reply to this

Post a New Comment