MT Bug Allows Spammers to Send Email Through mt-comments.cgi

Ouch. A bug in Movable Type allows spammers to send email via the mt-comments.cgi script. MT 3.15 fixes the bug; but word is out, and MT installations which haven’t yet updated are getting hammered by spammers. Six Apart has also released a small plug-in that fixes the same bug, for those running older versions of MT or who simply want to close the hole as quickly as possible.

The bug was that MT was allowing newline characters within email addresses, which allowed spammers to inject additional message headers in notification emails. Inject a couple of thousand addresses in a Bcc: header, and blammo.

Tuesday, 25 January 2005