The MT sites I host have been getting hammered with this email spamming flaw that allows arbitrary emails to be sent out from any MT installation. Fortunately I can block it (though bluntly) through mod_security. If you run MT, please delete the comments script until a fix is out. Will link to more information as it’s available. Update: More at TextDrive. Update: Fix available.
Categories
8 replies on “MT Email Spamming”
About to release a patch…
That was fast!
The changes are small enough to print on a t-shirt. Look to CafePress soon for all of you bug fix gear.
Security Hole Turns Movable Type into Spam Zombie
In a perverse new twist in the ongoing battle against comment spam, the spammers have found a way to use Movable Type’s comment-handling script as a powerful spam engine……
This just in:
The patch has been made available in both upgrade and plug-in flavors. The plug-in is compatible with MT 3.x and 2.661, thank God.
(props: Brad Choate, via the TextDrive forums)
It sure was nice to be able to upgrade before the problem ever affected me. The folks at Six Apart are really getting good at this stuff! 🙂
Then maybe now I can finally get in contact with my SQL server again 😀
he B has had some downtime these last few days, apparently due to a hole in Moveable Type. Matt has the lowdown. […]