MT send entry security hole

Published on:

Gummi gives me a heads up on a highly problematic hole in MT, which basically can turn your blog into an open email relay for spammers. To plug the hole, until Six Apart comes with a permanent fix, you need to do the following as soon as possible:

If you do not use the "send this" feature on your MT weblog:
backup and remove the script named mt-send-entry.cgi or, alternatively, rename it.
If you are using the "send this" feature on your MT weblog but do not want to be exposed:
remove all traces of this feature on your MT templates and rebuild as necessary,
backup and remove the script named mt-send-entry.cgi or, alternatively, rename it.
If you are using the "send this" feature on your MT weblog and want to keep it:
rename the script named mt-send-entry.cgi,
find where this script is called (within your MT templates) and rename as above.
I do NOT recommend this! Simply because if you continue to use this feature, the new name of the script will continue to be exposed on your pages, and the script can still be invoked by spammers.

Other reports:

  • Check this thread on the MT forum for more information. See update below.
  • Zope news. I do not recommend this modification, as limiting the script to only one email address doesn't prevent a spammer to use a robot to invoke the script one address at a time.

Update: Ben Trott has responded on the 24th:

All,

This is a bug in the MT code that sends mail using sendmail. If you're using SMTP, you are not, I don't think (sic), susceptible to this. The problem is that the code is not doing enough input validation on the From and To fields that are used in the mail message.

The fix will be in the next version of MT, but in the meantime, here's a fix.

1) Open mt-send-entry.cgi in a text editor.

2) Before line 40, add these lines:

CODE
   die "Invalid from or to value"
       if $to =~ /[\r\n]/ || $from =~ /[\r\n]/;

But something tells me that a robot can still use the script to trigger the script one email at a time. Another suggestion is to remove the ability to add custom content to the email, which would then remove the incentive for spammers.