MT send entry security hole

Gummi gives me a heads up on a highly problematic hole in MT, which basically can turn your blog into an open email relay for spammers. To plug the hole, until Six Apart comes with a permanent fix, you need to do the following as soon as possible:

If you do not use the "send this" feature on your MT weblog:
backup and remove the script named mt-send-entry.cgi or, alternatively, rename it.
If you are using the "send this" feature on your MT weblog but do not want to be exposed:
remove all traces of this feature on your MT templates and rebuild as necessary,
backup and remove the script named mt-send-entry.cgi or, alternatively, rename it.
If you are using the "send this" feature on your MT weblog and want to keep it:
rename the script named mt-send-entry.cgi,
find where this script is called (within your MT templates) and rename as above.
I do NOT recommend this! Simply because if you continue to use this feature, the new name of the script will continue to be exposed on your pages, and the script can still be invoked by spammers.

Other reports:

  • Check this thread on the MT forum for more information. See update below.
  • Zope news. I do not recommend this modification, as limiting the script to only one email address doesn't prevent a spammer to use a robot to invoke the script one address at a time.

Update: Ben Trott has responded on the 24th:

All,

This is a bug in the MT code that sends mail using sendmail. If you're using SMTP, you are not, I don't think (sic), susceptible to this. The problem is that the code is not doing enough input validation on the From and To fields that are used in the mail message.

The fix will be in the next version of MT, but in the meantime, here's a fix.

1) Open mt-send-entry.cgi in a text editor.

2) Before line 40, add these lines:

CODE
   die "Invalid from or to value"
       if $to =~ /[\r\n]/ || $from =~ /[\r\n]/;

But something tells me that a robot can still use the script to trigger the script one email at a time. Another suggestion is to remove the ability to add custom content to the email, which would then remove the incentive for spammers.

mensuelles Archives

Recent Entries

  • Steve Jobs

    "Remembering that I’ll be dead soon is the most important tool I’ve ever encountered to help me make the big choices in life. Because...

  • Your privacy on MOTOBLUR by Motorola

    After the Nokia Ovi Store carelessness, it's now Motorola who's allowing strangers to get access to your private information on their MOTOBLUR portal. Exactly like...

  • How to resume a broken ADC download

    (I'm documenting this trick for myself to remember, but it can be useful for others…) Apple, on its Apple Developer Connection site, has a bad...

  • WTF is this ‘myEventWatcherDiv’ doing in my web?

    All of a sudden I started to find the following line in most of the web pages I was browsing, including ones I made where...

  • Your privacy on Nokia Ovi Store

    My friend Adam Greenfield recently complained about the over-engineering culture at Nokia: I was given an NFC phone, and told to tap it against the...