Skip

Movable Type's Spam Hole
December 4, 2003 6:34 PM   Subscribe

Movable Type 2.64 contains a major vulnerability to spammers. The spam hole, which exists in all versions of the program downloaded before November 26, centers around the mt-send-entry.cgi script, which can be co-opted by spammers who then use your domain and resources to do their dirty work. Users are encouraged to download and install the new "secured" version of mt-send-entry.cgi or to remove the file from their installation altogether. (If it is not being used, it can be safely deleted without affecting other MT functionality.) The question does arise though, with literally tens of thousands of MT users affected by this vulnerability, why didn't anyone at Six Apart think that this news warranted an announcement anywhere beyond the Movable Type news blog?
posted by Dreama (34 comments total)

 
What else are they supposed to do? Anil, who works for them, pointed it out on his high-traffic personal site. I guess they could have emailed everyone that ever downloaded it, but I'm sure that's tens of thousands of people.
posted by mathowie at 6:36 PM on December 4, 2003


Well, they do ask for an email when you download a copy, don't they? What's that for, other than situations like this?

That said, though, I tend to agree with Matt. If you're savvy enough to install MT, you're savvy enough to maintain it with some degree of diligence. Hell, I've known about this since a few hours after it came to light, like, what, a week ago already. It might have been a good idea to email non-techy people they did paid installs for, perhaps, and for all I know they did that very thing.
posted by stavrosthewonderchicken at 6:42 PM on December 4, 2003


This news was all over the place.

It would seem to me that if you use MT and are capable of getting the thing installed and running it's likely that you read other weblogs. In that case it would have been pretty hard to miss.

I was impressed with how quickly the news spread. I thought I was right on top of it (the initial forum thread was on Nov. 22), but when I mentioned it to a couple of other people a few days later the universal response was, "Oh yeah, I saw that on ..."
posted by cedar at 6:54 PM on December 4, 2003


Surprise, surprise, not everyone who uses MT reads Anil Dash or Ben or Mena's sites. Or the sites of any of the other "high profile" members of the blogosphere, either. Believe it or not, there are technically savvy, self-installing, "web content is my bitch" kinds of people who are happily detached from the general blog world and don't use it to get news about their CMS or anything else. But as MT users, they, like the blogosphere muckety-mucks were asked:

Would you like to join MT-users, a low-volume, announce-only list about Movable Type?

And many have, presuming that if something important came down the pike about MT, it'd be announced there. But the last e-mail to the list was back in, um, May looks like. There was no acknowledgement of this problem on the forums until users started bitching about the exploit.

Hence the complaint. One shouldn't have to read someone else's blog or go in search of information like this, especially if they've specifically asked to be kept informed about news and announcements about a product.
posted by Dreama at 6:55 PM on December 4, 2003


Fair enough. I might've signed up for that too, but I can't recall. Don't think I've ever gotten any MT-list email from them, which is pretty much how I like it, personally.
posted by stavrosthewonderchicken at 7:13 PM on December 4, 2003


Heh. Spam hole.
posted by funkbrain at 7:24 PM on December 4, 2003


Thanks Dreama. I didn't know until just now since I don't read many of the 'high profile' blogs either.

Sending a note out to the MT-list would have been nice. The last thing I think I got from that list was announcing Typepad.
posted by birdherder at 7:30 PM on December 4, 2003


Here's an idea, what if MT had an option to enable a movabletype.org hosted iframe in the admin panels that was used specifically to alert users to issues like this?
posted by machaus at 7:44 PM on December 4, 2003


In retrospect I agree, Dreama. This is something that could have been made more widely know via the mailing list and/or something in the Announcements section of the forum. As it is I had to search my weblog for the link to the forum thread and haven't seen the front page of the MT site in more than a year (where is that MT Pro anyway?).

I think signed up for the list at one point. I don't, however, have any mail from them in an archive going back some 18 months so maybe I never did.

As I read over the thread in the support forums I get the distinct impression that Ben wasn't overly concerned and views it as a flaw inherent in any "send this entry" functionality. I gather that there is no real fix and if you want that send an entry thing it's something you have to live with. I just deleted mine, I never used it anyway and would hate to see my domain get blackholed for spam. Another potential concern would be that if this develops into a widely used exploit isn't there a risk of hosts banning MT outright? I don't see too many allowing Greymatter installs or Matt's formmail these days.
posted by cedar at 7:45 PM on December 4, 2003


Part of me says, "yep -- should have been announced on the mailing list we all signed up for..." and the other part says, "hey! It's free-fricking-software (for most), how upset can you be that there isn't full-time support staff taking care of all these pesky details like sending email to -the list!? No one is forcing you to use MT." *shrug*
posted by stigg at 7:49 PM on December 4, 2003


Hence the complaint. One shouldn't have to read someone else's blog or go in search of information like this, especially if they've specifically asked to be kept informed about news and announcements about a product.

Exactly. Are users of a piece of blogging software expected to read a developers weblog to keep up to date with vulnerabilities like this simply because it's blogging software? Part of the responsibility of developing, maintaining, and distributing software is keeping your users informed and aware of updates, especially when you keep a (supposed) email list for that purpose. No one would expect Mozilla users (for example) to read the weblogs it's developers for security/feature/whatever updates, so why MT?
posted by djc at 7:56 PM on December 4, 2003


I guess they could have emailed everyone that ever downloaded it, but I'm sure that's tens of thousands of people.

that's exactly what they should have done, actually.
posted by donkeyschlong at 8:04 PM on December 4, 2003


stigg : "...how upset can you be that there isn't full-time support staff taking care of all these pesky details like sending email to -the list!?"

That's nonsense. There is a huge difference between a full time support staff and the five (or less) minutes it takes to compose a brief email message and click 'send'. A simple link to a more comprehensive explanation would have taken much less time to write than the responses Ben wrote to a forum thread that is now some 12 pages deep.

I've voluntarily donated to MT more than once and will continue to do so. I have participated on the forums and done many installs (along with subsequent contributions on their part) for others.

The volunteers on the support boards do an admirable job and some put a great deal of effort into their responses, there is no need for a full time support staff as the community currently does a phenomenal job.

I love Six Apart, will continue to recommend MT and cannot imagine maintaining a personal site without it (though WordPress is coming along nicely), but they dropped the ball on this one.
posted by cedar at 8:06 PM on December 4, 2003


Thanks, Dreama, I had not heard of this either (not being an A, B or C-lister probably contributed to this). Easy fixed with one application of the delete key.

Movable Type comes free and the level of technical support and documentation is excellent given that simple but vital fact, so I see no cause for anyone to complain.
posted by dg at 8:07 PM on December 4, 2003


This "Movable Type"...is it something that one would need a blog to know about?

Sorry. I just *had* to. Regarding the issue: yes, a mass-mailing would have been nice, but it didn't happen, so Ben & Mena are mildly chided by some, but all is forgiven, because MT is a wonderful (and free) tool.

End of story. Right?
posted by davidmsc at 8:24 PM on December 4, 2003


login: Melody
pwd: *******
Welcome, Melody
cd public_html
rm -r mt
*sigh*
posted by shoepal at 8:36 PM on December 4, 2003


thanx for the heads up dreama, i don't read "A" list blogs either because my "A" list strangely doesn't match the main "A" list.

also, i bet they could fix it so that send-entry function can't get hijack. just because they thing they can't fix it doesn't mean it can't be done.
posted by Stynxno at 8:40 PM on December 4, 2003


This Movable Type, is it a Microsoft product? ;-P
posted by mischief at 8:52 PM on December 4, 2003


That explains the bounces from AOL with non-existent email accounts on my domain. *grumble*
posted by letterneversent at 8:53 PM on December 4, 2003


In hindsight, you're right, we should have announced it on the mailing list as well as on movabletype.org. The fact is, though, when we do send messages to our mailing lists, such an inordinate number of the messages are never received because of whitelist spam filters and other bounces that it seemed a more efficient method to announce it on the web site. But your point is well taken--we should have done both.
posted by mgtrott at 8:54 PM on December 4, 2003


The concern here is valid. I love Ben, Mena, the MT crew, Six Apart, and MT. I would take genetic samples, and spawn archipelagos of Trotts to please the online cognoscenti. But even if they, despite their loveliness, screwed up with a major security hole and failed to inform their userbase via a simple email, then it's fair game to criticise them, much as the people who tore into Ev hard when Blogger had its major securty issue (admittedly, more severe than this) or the RSS 2.000000000419 debacle, that, from what I could determine, involved some hubristic tyrant wanting control of a standard.

When MT was created, the whole point of it was that it was intended to be highly secure, tailored to the uber-geeks or those barely capable of configuring things.

Me? I'd sooner stare for hours at random series of numbers than read some developer blog that would bore me to tears. I don't think I've read the "high-profile" blogs in question here for months. And I thank Dreama for bringing this to my attention.

Perhaps the first thing for Six Apart to do is address this to their userbase with an email or incorporate some kind of auto-update feature into the next version of Movable Type that would allow all MT users to be aware of any similar problems that might come into play, perhaps tying this into Trackback or something.
posted by ed at 8:55 PM on December 4, 2003


"hey! It's free-fricking-software (for most), how upset can you be that there isn't full-time support staff taking care of all these pesky details like sending email to -the list!?

This is kind of a loaded comment. It's fricking free for most, but not all. People actually pay for this product, and they should be informed of situations like this. Windows users hold Microsoft responsible for security issues, this is no different.

Besides, if they can take the time to post it on both their business site, and a personal site, how much longer could it take to send out an email?

No one is forcing you to use MT.

I hate when people use that as a line of defense. You can say that about any damn thing in the world. Get hit by a car? Well, no one is forcing you to cross the street! Catch a cold? No one is forcing you to leave the house! What crap!

The fact of the matter is this: If a business if offering a product, whether it's free or not, and it poses some kind of security issue they should make it their first priority to alert as many of their users as fast as possible.
posted by paulrockNJ at 8:56 PM on December 4, 2003


Geez. Kind of a moot point after Mena posted. Alas, she did so while I was typing....
posted by paulrockNJ at 8:58 PM on December 4, 2003


Uh, shoepal... they're pretty clear about changing the default login. There aren't too many web apps that come without one (makes the installers kinda rough to run).

I'm also not really clear on how getting into someones improperly installed MT gets you to a command line in a shell. Wouldn't you need just a wee bit more information before putting your mad skillz to work?
posted by cedar at 8:58 PM on December 4, 2003


That explains the bounces from AOL with non-existent email accounts on my domain. *grumble*

Not really. Someone could have just spoofed your domain as the reply-to address.
posted by mkn at 9:34 PM on December 4, 2003


Oy! Good to know. I'm an MT user and I didn't know about this until just now. That is a bit troubling, but at least I know now.

Thanks for the heads up.
posted by Hildegarde at 9:46 PM on December 4, 2003


I'm using MT 2.51, do I still need this update? Or is it a new thing with 2.64?
posted by Orange Goblin at 2:17 AM on December 5, 2003


Orange Goblin - "The spam hole, which exists in all versions of the program downloaded before November 26"

The post says you're susceptible if you downloaded before Nov 26. I'm assuming that's Nov. 26, 2003. Mt-send-entry.cgi deleted. Thank you, Dreama.
posted by iconomy at 4:50 AM on December 5, 2003


Part of the responsibility of developing, maintaining, and distributing software is keeping your users informed and aware of updates, especially when you keep a (supposed) email list for that purpose.

But every main page of the MT back end has a link to the movabletype.org homepage.

So, in effect, everyone you claim wouldn't have known about this bug was in fact only one click away from information about it the whole time.
posted by tapeguy at 6:06 AM on December 5, 2003


I have to admit that this is exactly the type of thing that makes me love TypePad so much. Functionality of MovableType, and if something goes wrong, it is SixApart's problem, not mine.

When I was running MovableType, I used to have the homepage in my weekly bookmark list, checking it for updates.
posted by benjh at 6:16 AM on December 5, 2003


Hey cedar, I just used the login "Melody" as a silly reference to MT's default login after you install the MT package. That's all. The rest was my way of fixing the spam hole. *sigh*
posted by shoepal at 6:48 AM on December 5, 2003


the only other people who would set up a blog as their cms that aren't already people "in the know" who read other people's blogs are those who are extremely lazy about making content.
bloggers either believe the hype or are extremely lazy.
posted by the aloha at 4:41 PM on December 5, 2003


I didn't know about this. I guess that means I am extremely lazy. Thanks for the heads-up, Dreama.
posted by moonbiter at 1:42 AM on December 7, 2003


Seeing as Mena has posted here, could she at least tell us whether the MTPro launch is likely to be soon? I knew it's free (etc etc) but I've donated a fair whack of money to support them and also get a discount off Pro. I've also got clients hankering after it, and they're beginning to think I'm fobbing them off...
posted by wibbler at 11:46 AM on December 7, 2003


« Older Uncovered   |   Playboy Magazine Covers Newer »


This thread has been archived and is closed to new comments



Post