Movable Type’s Spam Hole | Metafilter
Movable Type 2.64 contains a major vulnerability to spammers. The spam hole, which exists in all versions of the program downloaded before November 26, centers around the mt-send-entry.cgi script, which can be co-opted by spammers who then use your domain and resources to do their dirty work. Users are encouraged to download and install the new “secured” version of mt-send-entry.cgi or to remove the file from their installation altogether. (If it is not being used, it can be safely deleted without affecting other MT functionality.) The question does arise though, with literally tens of thousands of MT users affected by this vulnerability, why didn’t anyone at Six Apart think that this news warranted an announcement anywhere beyond the Movable Type news blog?
A lively thread ensued at MetaFilter, but the bottomline for me is, a. they asked me to sign up to a mailing list which would be where I would expect to see information like this and b. I also donated to SixApart which I would hope counted as some kind of vote of confidence (in addition to using their stuff for almost 2 years) and that should entitle me to a “heads up” when something like this comes up.
Color me annoyed.