Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

November 23, 2003

More MT Spam Vulnerabilities

I think we got us a theme going…

Remember insecure formmail scripts? How very 1990s, eh?

As if comment spam were not bad enough, MovableType includes, in its default installation, a CGI script called mt-send-entry.cgi which — you guessed it! — can be used to send email anonymously to anyone in the world.

And, no, this is not a merely theoretical issue; it’s being actively exploited by spammers.

Ben Trott has proposed the following patch to address the issue

--- mt-send-entry.cgi.orig      Sun Nov 23 20:21:12 2003
+++ mt-send-entry.cgi   Sun Nov 23 21:23:48 2003
@@ -37,6 +37,8 @@
         die "Missing required parameters\n";
     }
 
+    die "Invalid from or to value"
+       if $to =~ /[\r\n]/ || $from =~ /[\r\n]/;
     my $entry = MT::Entry->load($entry_id)
         or die "Invalid entry ID '$entry_id'";
     my $blog = MT::Blog->load($entry->blog_id);

But that addresses only one of the various ways in which this script can be exploited. Spammers can still send as much email as they want, with arbitrary message body content, to whomever they want, and do so completely anonymously. The only thing they can’t get rid of is the subject line

Subject: [Your Blog Name] Recommendation: Your Entry Title

which serves only to sully your reputation, and the first line of the message body,

Some fake email address has sent you a link!

(The link to your blog entry itself — at the bottom of the message body — is easily omitted, not that anyone will care.)

Unless you feel you absolutely must use this CGI script to allow anonymous visitors to mail arbitrary messages to whomever they please, you’d be much better off simply disabling it. Change the permissions on the offending script to make it inexecutable, or remove it entirely.

Do it now, before your blog is exploited by spammers.

Update (11/26/2003): Ben Trott has posted a message warning the vast majority of MT users, who don’t use this CGI script, to disable/remove it. He’s also posted an improved version (better than the patch above, but still only “spam-resistant”, rather than “spam-proof”) of the script.

Posted by distler at November 23, 2003 9:57 PM

TrackBack URL for this Entry:   https://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/252



7 Comments & 22 Trackbacks

Read the post MT Spam Vulnerability
Weblog: leuschke.org links
Excerpt: I just knew all that`send this entry' crap was a bad idea
Tracked: November 25, 2003 10:16 PM
Read the post Otra vulnerabilidad en MT
Weblog: minid.net
Excerpt: Movable Type 2.6 tiene un agujero de seguridad, la molestia ahora es un archivo llamado mt-send-entry.cgi.
Tracked: November 26, 2003 6:42 AM
Read the post Spammarar misnota MT
Weblog: Dagbók Kristjáns og Stellu
Excerpt: Þeir sem nota Movable Type þurfa að gæta sín. Spammarar eru nefnilega farnir að misnota mt-send-entry.cgi virknina til að senda út nafnlausan ruslpóst frá tölvum sem hýsa MT. Sjá meira...
Tracked: November 26, 2003 7:48 AM
Read the post ¿vulnerabilidad? de movable type
Weblog: los dedos de tna?
Excerpt: debo recordar esto cuando llegue a casa, para solucionar este fallo (¿vulnerabilidad? el sistema no es exactamente vulnerable, no se le ataca... tal vez el nombre sería "carencia de lealtad" [no funciona como se esperaba que funcionase]) de movable typ...
Tracked: November 26, 2003 7:50 AM
Read the post Disable MovableType's Send Entry Script
Weblog: hatch.org
Excerpt: The file 'mt-send-entry.cgi' in a default MovableType installation can be used to relay spam. If you're not using the script to allow your users to "Send this Entry by Email", you can safely remove the file from your MT install...
Tracked: November 26, 2003 8:26 AM
Read the post Aviso para usuarios de Movable Type
Weblog: Enrique Barbeito García v3.0pre1
Excerpt: Vía minid me entero de que uno de los scripts CGI que Movable Type incorpora por defecto permite transmitir SPAM a través de nuestros weblogs. Se trata del fichero mt-send-entry.cgi inicialmente ideado para permitir a cualquier usuario el envío de...
Tracked: November 26, 2003 9:16 AM
Read the post mt-send-entry must be stopped
Weblog: Vertical Hold
Excerpt: mt-send-entry.cgi must be stopped.
Tracked: November 26, 2003 10:14 AM
Read the post Security Vulnerability
Weblog: anything but ordinary
Excerpt: There is an MT vulnerability that has been discovered recently. It enables the intruder to send anonymous e-mail from your host, if I understand the problem correctly. More info can be found here: Musings: More MT Spam Vulnerabilities Ben's Post...
Tracked: November 26, 2003 11:39 AM
Read the post deleted
Weblog: Snapping Links II (The Revenge)
Excerpt: some people just need to suffer the wrath of the shiny red button. (no, not the person who wrote this link. the spammers. what are you, dense?)
Tracked: November 26, 2003 3:07 PM
Read the post Blogspam II: MT as a relay
Weblog: TeledyN
Excerpt: Just when you thought it was safe to go back into the blogosphere, Jacques Distler tells us there's Musings: yet another MT spam vulnerability: The web's most popular bloghosting platform can also...
Tracked: November 26, 2003 4:35 PM
Read the post MT Vulnerability
Weblog: Phoenix's Cave
Excerpt: If you are running MT, I suggest you run over to this site and here to protect yourself from a vulnerability that allows hackers to send email through you. Run, MT User, RUN! via the grrl...
Tracked: November 26, 2003 6:04 PM
Read the post More MT Trouble...
Weblog: Team Murder
Excerpt: Uh oh. Looks like another piece of the default Movable Type install is exploitable by spammers. The word is deleting...
Tracked: November 27, 2003 2:30 AM
Read the post 2003-11-27 15:43:36
Weblog: The Plastic Cat | Links
Excerpt: Build your own paper models of Nintendo characters A nice collection of photos of aurorae Some early Oscar predictions More on the cinematic abortion that will be Steve Martin as The Pink Panther November 28th is Buy Nothing Day....
Tracked: November 27, 2003 9:45 AM
Read the post MT spam vulnerability (and ways to trap the bad guys)
Weblog: The Communication Tube
Excerpt:
Tracked: November 27, 2003 8:53 PM
Read the post more MT spam vulnerabilities...
Weblog: judith meskill's knowledge notes...
Excerpt: If you utilize Movable Type for your weblog this is mandatory reading: Musings: More MT Spam Vulnerabilities...
Tracked: November 27, 2003 9:41 PM
Read the post MovableSpam?
Weblog: Temperantia R3
Excerpt: A big Thank You to Scott at The Computer Vet for posting an entry about a security risk in Movabletype, a blog publishing software package. It just so happens that I use Movabletype (which you will note the acknowledgement at...
Tracked: November 28, 2003 7:28 PM
Read the post Time to go back into your Movable Type directory
Weblog: Now This log
Excerpt: Do you use Movable Type? Time to go back into your MT directory and delete (or at least replace) a file: Musings: More MT Spam Vulnerabilities As if comment spam were not bad enough, MovableType...
Tracked: November 28, 2003 8:40 PM
Read the post Spammers find MT's open relay
Weblog: Radio Free Blogistan
Excerpt: Been busy holidayin' and doing other stuff lately, so a lot of the basic substrate of blog news and blog gossip is passing unremarked. By now, most MT users probably know that Movable Type is vulnerable as an open spam relay. If you are not using the "...
Tracked: November 29, 2003 3:49 PM
Read the post Movable Type Spam Vulnerability
Weblog: Joe Grossberg
Excerpt: If you're an Movable Type user who bothers to keep their software up to date, you're probably already on top...
Tracked: November 30, 2003 7:04 PM
Read the post re: 1and1 and Apache - pretty good environment
Weblog: shawn's blog
Excerpt:
Tracked: December 2, 2003 1:35 PM
Read the post MovableSpam?
Weblog: Temperantia R3
Excerpt: A big Thank You to Scott at The Computer Vet for posting an entry about a security risk in Movabletype, a blog publishing software package. It just so happens that I use Movabletype on my other blog (which you will...
Tracked: December 26, 2003 7:23 PM
Read the post Movable Spam
Weblog: The Computer Vet Weblog
Excerpt: If you have a Movable Type blog (even one you don’t use), it needs to be patched. It seems that there’s a file in there, mt-send-entry.cgi, that can be used by spammers as an open relay. Whoopsie! Best thing is...
Tracked: January 5, 2004 1:41 AM

Re: More MT Spam Vulnerabilities

We had many problems with formmail. Many servers get banned for sending a spam without their knowledge…

Posted by: Gry java on January 14, 2004 10:06 AM | Permalink | Reply to this

Re: MT “Post Status” Vulnerabilities

In a similar vein, don’t assume that people can’t read your “Draft” posts. Once you save it, they can submit comments and forcibly publish the entries.

Detailed in my post describing the problem and possible solutions.

Posted by: Joe Grossberg on January 21, 2004 5:35 PM | Permalink | Reply to this

Re: More MT Spam Vulnerabilities

I’m looking for a megaton of SPAM to go my way. Feel free to SPAM the following accounts:

curly@csat.binc.net
moe@csat.binc.et

curly@csat.binc.net
moe@csat.binc.net

Posted by: curly on January 27, 2008 3:17 PM | Permalink | Reply to this

Re: More MT Spam Vulnerabilities

Hi! I know this is a pretty old post, but you seem so knowledgeable about spam vulnerabilities in MT that I thought I’d take a chance and ask you about an MT post of mine that seems permanently marked in google search with a spam title:

http://emdashes.com/2007/07/women-filmgoers-and-women-film.php

I’ve searched all the text and all the comments for spam, and can’t find any. How could a spam title (about pharmaceuticals–you’ll see what I mean if you google “emdashes david denby doomed”) have attached itself to my post title in search? How can I get rid of it? It’s very frustrating, since it was a popular post and people still occasionally search for it.

Thanks a lot, if you’re reading these!

Emily

Posted by: Emily on October 22, 2011 12:28 PM | Permalink | Reply to this

Re: More MT Spam Vulnerabilities

For even more fun, google “site:emdashes.com viagra”.

Looks like a PHP hack, in which they’ve injected some PHP code (into your database? into an “image” file on your site?), which sends alternate, spammy, content to some User-Agents (search engines), but the regular content to others.

Good luck cleaning up your site.

Posted by: Jacques Distler on October 22, 2011 2:28 PM | Permalink | PGP Sig | Reply to this

Re: More MT Spam Vulnerabilities

Thanks for looking at it! That is very strange. I’m not a programmer; do you have any more info about that kind of hack? I can google it too, of course.

In the meantime, I’ll look through the image files! I searched all the templates for spam too.

Maybe I’ll change all my users’ MT passwords too just for the heck of it.

Thanks again, and any suggestions are invaluable–I hate that these popular posts, or posts I’m proud of for one reason or another, are infected with this junk.

Posted by: Emily on October 23, 2011 12:46 AM | Permalink | Reply to this

Re: More MT Spam Vulnerabilities

First of all, let me convince you that this is real.

  1. Install the User-Agent Switcher extension for Firefox.
  2. Switch your UserAgent String to the one for the Googlebot ( “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)” ).
  3. Visit this page.

Most likely, the attackers have inserted some hostile PHP code into your templates. The MT Administrative interface will let you see whether the stuff (entries, comments and templates) in your database have been modified. (Assuming that it, too, has not been compromised.)

That leaves you with the problem of cleaning up the mess, and plugging the hole that allowed them access in the first place.

If you’re not comfortable with such matters, you may need to hire someone. I suggest talking to you hosting provider (since it’s not necessarily your account that was compromised).

Posted by: Jacques Distler on October 23, 2011 11:35 AM | Permalink | PGP Sig | Reply to this

Post a New Comment