Do you run a Movabletype blog?spam vulnerability ( old news - 04:45PM Wednesday Nov 26 2003) tags: security · spamOne of the most popular blog packages, Movabletype, comes with a utility, not even used in the default configuration, that can (and is) being hijacked by spammers trying to sell Viagra© to turkeys. If you operate a Movabletype blog, please make sure you read the front page of movabletype.org urgently. If you get a spam email that says, in its message body, "... has sent you a link .. Title: .. Link: ...", then please refer to its FROM address. For once, it will be correct. A courtesy email to the blog owner (visit their domain) should wake them up.
Related:- McAfee’s Security Threat Predictions
- Hackers Eyes Turn Towards iPhone
- Openwave and CommTouch Partner Against Spam
- Fortune 1000 Spam
- 'Support Center Robot' Spam Blast
- Turn Off The Music, Turn On The Porn
- Qwest Employs New Malware Security
- Thursday Evening Links
|
 
reub2000
Premium
join:2001-12-28
Evanston, IL
edit:
November 26th, @04:59PM
| What the spamers deserve. The spamers should be tied down in a very uncomfortable position, with a little apparatus swing around their crouch, hitting it every couple of seconds. Then saw off their necks, 1mm at a time, every 2 hours, until they die. | |
|  | Cheddah
join:2001-12-31
San Rafael, CA | Re: What the spamers deserve. How are they going to ever learn if you go easy on them like that? lol | |
| | |
reub2000
Premium
join:2001-12-28
Evanston, IL
| Re: What the spamers deserve. said by Cheddah  :
How are they going to ever learn if you go easy on them like that? lol
How about cutting off a finger or toe every half an hour? | |
| | | | rmdir
join:2003-03-13
Chicago, IL | Re: What the spamers deserve. Cut off one finger for each spam e-mail they send. After they have sent the first 10, guess what's next. | |
| | | | 
Rambo76098
join:2003-02-21
Pataskala, OH
| Nah.. only little parts of each every 15 minutes... we wouldn't want them having the honor of getting their fingers chopped off in one piece... that would not be painful enough to teach them anything. An added bonus to them not having fingers, they cant type normally, if at all.  | |
| 
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| The fix isn't very good Reading the fix that movabletype.org have done .. well, it doesn't strike me as particularly good. So now they've limited the script to one target address and a short message body?
A spam-bot with a list of N movable type domain names could, in parallel, spam N people per second, even if everyone fixed their script per the recommendation. Ok that isn't as efficient as spamming NxM people per second (the original script allowed lists of people). But it is still possible.
It would be better if movabletype.org put a challenge response token into the loop, so you can't POST to it unless you have done a GET of the form, first, and a delay as well. Better still, remove the ability to enter a custom message (where the advert goes) entirely!
Or just remove the script and do not allow anon users to send links to any email address they like. | |
| | 
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs: | Re: The fix isn't very good Me too, the fix is horrible. Basically, the fix shows that they are lazy and that they don't want to fix it the correct way.
--
WedgeAntilles250 | |
| | | 
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| Re: The fix isn't very good In all fairness to Ben and Mena I don't think you can call them 'lazy' over a bad fix.. Movable Type is still a terrific tool and still free.. Hopefully they'll have a better fix soon, in the meantime, people should just remove the script altogether. There's no true need for it.
--
Life is too short to be boring | |
| RedDwarf
join:2002-09-17
Tewksbury, MA | Thanks for the heads up! Thanks for posting this. I had a problem last month where someone was spamming AOLers with Viagra ads from my address, and I couldn't figure out how it was being done. Now I know. File deleted. | |
| 
Theo2002
join:2002-02-28
Clermont, FL | Doh Who's to blame more, the lazy programmers or the "ingenious" spammers? | |
| | | | | 
RadioDoc
Sortofadog
Premium,ExMod 2000-03
join:2000-05-11
Chicago, IL
 ·AT&T Midwest
edit:
November 26th, @07:13PM
| Re: Doh said by DSLDUDE :
I don't care if it had 100 security flaws, if it's FREE, then one should not complain...
Tell that to the thousands of Internet Explorer complainers...
Seems like any mechanism which allows what is essentially an open relay is a horrible idea in this day and age, no matter what it costs. | |
| | | 
koitsu
Premium
join:2002-07-16
Mountain View, CA
| The fact something is free doesn't automatically void the authors from being responsible for flaws in their code.
Open-source should NOT be used as a way for programmers to get around having to take responsibility for something they've created. The more it becomes such, the more crap software we're going to see in times to come.
--
Making life hard for others since 1977. | |
| | | |
justin
Australian
join:1999-05-28
Brooklyn, NY | Re: Doh who says they are not being responsible? seems to me, they take at least as much an interest in a quick fix as any for-cash software company does. And try asking microsoft or oracle for damages when their software has a problem! | |
| | | | |
koitsu
Premium
join:2002-07-16
Mountain View, CA
| Re: Doh In the case of the MT folks, they've been generally pretty responsible when it comes to providing patches and being up-front with users about the impact of bugs or security flaws. It's good to see that some open-source developers still believe in taking responsibility for their code.
My statement was more general than it was specific to the MT authors; the majority of my experiences with OSS authors has been "since we give you the code, you can fix the problem yourself." It's that kind-of excuse which makes me wonder how many people live in hobbit holes...
--
Making life hard for others since 1977. | |
| | | | | |
justin
Australian
join:1999-05-28
Brooklyn, NY | Re: Doh really? that doesn't sound like any OSS projects I can imagine. Are you sure you are not confusing requests for features you want, which may of course be ignored, with notification of important bugs and security problems? | |
| | | | | | |
koitsu
Premium
join:2002-07-16
Mountain View, CA
| Re: Doh I've spent too many years working with OSS to confuse the two. The response I speak of I've received from members of the Apache team (re: RFC931/1413 flaw which could lead to a buffer overflow and still exists today, re: zombie processes caused on many systems in 1.3.29), developers of SpamAssassin (re: spamd leaving zombie processes around on BSD systems), BIND 8.x (re: potential security hole: zone transfer tempfiles put in main root dir only when using key-based authentication, requiring the daemon to have full rwx access to /etc/namedb, rather than putting them in the appropriate zone directory from each zone directive), GNU screen (re: code checking for ~/.nethackrc despite "nethack off" being specified in .screenrc), PHP 4.x (re: returning status code of 200 regardless of what Apache says is a legitimate command; still exists today), FreeBSD sendmail updates (re: expanding etc/mail/Makefile to support sendmail's "cidrexpand" script so one can use CIDR notation in etc/mail/access; this is more of a feature, but the response was a real let-down) and numerous other mainstream applications.
I've been trying to keep a list of all the issues I've reported which go either unresponded to or illicit the standard "You have the source, fix it yourself" response, but I run into stuff too often to maintain a coherent list...
I'm just one guy with very interesting experiences with the OSS community, most of them negative. But it still warms my heart (honestly) when I see an OSS developer step in and say "Thanks for reporting this! I'll provide and commit a patch in a few minutes," or simply push out a new release.
Anyways, without getting too off track, my point is that peoples' responsibilities shouldn't be nullified whether or not the application is free or commercial.
--
Making life hard for others since 1977. | |
| | | | |
Rambo76098
join:2003-02-21
Pataskala, OH
| said by justin :
who says they are not being responsible? seems to me, they take at least as much an interest in a quick fix as any for-cash software company does. And try asking microsoft or oracle for damages when their software has a problem!
Yeah but the last time i checked this was free and all the microsoft products i have i paid out my ass for. If im paying as much as i did for windows or office then im expecting it to be a good, quality, error free program(which windows is not!) but if something is free i will be happy if it works at all b/c i paid nothing for it and as long as my comp is not damaged or compromised, then i could care less. | |
| | 
ewoodpark
join:2003-02-04
Flossmoor, IL | What I want to know Is why anyone would want to try to sell viagra to turkeys  | |
| | | |
|
|
·
·
Exploits