Movable Type Security Hole

If you use Movable Type, you need to read this and this right away, and then you need to get on the horn to your webmaster instantly and tell them they’ve got a big fucking problem on their hands.

The short summary: Movable Type can be turned into an open spam relay if you
poke one of their default scripts the right way, and this is already being exploited in the wild.

Shaver, wise and powerful, has instantly fixed the problem on this machine, but if you’ve got your own MT stuff running, you need to either fix it right now or phone somebody who can.

Quick fix: chmod 000 mt-send-entry.cgi

5 Comments | Skip to comment form

  1. Mike B

    Plugged. Thanks for pointing this out, Mike.

  2. Mike Hoye

    Honour to serve, etc.

  3. David

    Another quick fix:

    rm mt-send-entry.cgi

    Unless you’ve deliberately enable this feature, you’ll never notice.

  4. Mike Hoye

    Yeah, I put that up before I’d figured out if it was patchable, or if a patch was going to be issued or whatever.

  5. Kenneth G. Cavness

    Thanks for the heads-up.