« Brought to you by the letter $ | Main | Apathy »

MT an open relay

If you haven't heard about this yet, congratulations on being removed from society so well! The mt-send-entry.cgi script in Movable Type allows anyone to send email to anyone using your server, much like formmail.

There is a fix, of sorts available.. although it's not a particularly good one. Spammers can still spam using that, they're just restricted somewhat.. I would suggest everyone just remove the thing altogether, there's no true need for it, it's not part of default MT config and anyone who really really wants to allow people to email entries should just code a better way of doing it. Like with validation of origins and such..

Posted by kasia on November 26, 2003 05:42 PM |

TrackBack

Listed below are links to weblogs that reference MT an open relay:

» MT an open relay from Daily Bytes
It seems MT default install acts as an open relay. Every spammer\'s dream: kasia in a nutshell: MT an open relay [Read More]

Tracked on November 26, 2003 06:18 PM

» MT Users Beware from Undesignated Blog
Seems that there is a way to abuse Movable Types tell a friend function. Thanks for the heads up Kasia! You can find more info about this at the Movable Type pages. I fixed it by just removing the dunctionality.... [Read More]

Tracked on November 27, 2003 12:34 AM

» Important! from Lobsterblog
Missed this, just before publishing that last item. It's important for all MT users to read this over at Kasia's.... [Read More]

Tracked on November 27, 2003 02:36 AM

» MT has a hole in a CGI script from Life Is Killing Me
Shitty. MT has a hole in the MT-send-entry.cgi script. I didn't see any of my users using it so I... [Read More]

Tracked on November 27, 2003 10:55 AM

» To be heard from Quarter Life Crisis
Woohaha, I managed to Um... that person totally confused the hell out of me. someone at LiveJournal. That's certainly a turn at the usual state of affairs, where that... [Read More]

Tracked on November 27, 2003 01:49 PM