MT security/spam vulnerability

Moveable Type has a newly discovered security/spam relay vulnerability, anyone using it oughta check out :


I couldn’t access the Movable Type website for a while, but I managed to read through the thread before their site stopped responding. I can now reach their site again, but just in case you can’t later, here’s the scoop.

The alleged security problem is that the mt-send-entry.cgi script can effectively be used to create an open relay email server for use by anyone, including spammers. The mt-send-entry.cgi script is intended to be used to send an email to someone whenever you post a new entry. However, it doesn’t do a security check before sending the email.

The quickest fix is to delete the file from your MT install. When MovableType releases a patched version of the file, you can copy the new version to your website, assuming you even used this feature.

If you don’t want to delete it for some reason, at least rename the file to something obscure or, even better, make it non-executable.