Not that you asked...  
   


« How's it linGOing? | Main | Simple stuff... like online search. »

January 24, 2005

MovableType Comment Flaw Exploited

Spammers discovered an exploit in MovableType's (blogging software - which is used on this blog)
comment feature yesterday and started hitting all servers with MT
installed hard, causing large slowdowns in http requests and mysql
processing (if the MT install used MySql).

The exploit is similar to the old FormMail exploit in that it allows
the spammer to cc/bcc others thru the comment script to send out spam
thru the server hosting the blog. MovableType has issued an updated
release (v3.15) that closes the security hole along with a patch
that's tested for backwards compatibility back to v2.661 (and it may
also work with v2 versions before that but they haven't tested that).

Anyone currently running MT or hosting someone using MT should disable
the mt-comments.cgi file and/or upgrade to v3.15 or install the patch
and then the mt-comments.cgi file can be enabled again.

The updated version and the patch are available here:
http://www.movabletype.org/news/2005/01/movable_type_315_release.shtml

I had been battling comment spam for some time, and took some measures against it. I renamed my version of the comments script - but that only reduced the amount of abuse. Then, I disallowed comments from unregistered users. Spammers hate having to register - and they lie about it anyway.

I'll probably download this patch later tonight and run it - will post as to the results - level of effort and difficulty etc...

Posted by gcrgcr at January 24, 2005 10:22 PM

Trackback Pings

TrackBack URL for this entry:
http://www.tombartel.com/mt/mt-tb.cgi/32

Comments

Ohhh, Im so glad you posted this, as I finally upgraded my moveabletype install from way back. Guess I need to get on that upgrade asap !

Posted by: trickychicken [TypeKey Profile Page] at January 28, 2005 7:57 AM

Have you upgraded it already?

Posted by: Type Key [TypeKey Profile Page] at May 11, 2005 5:04 PM

Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Remember me?


 

 

 

 
  footer image