well, there might be. if you allow HTML in your comments, you could have the same thing happen to you as i had over at surreally — find a hacker bot nestled in one of your directories. i’ve just now found out what causes that, and as security holes go, this one’s huge. basically all a person has to do is put the right bit of server side code, in a number of different languages, in the comment box, and submit, it will execute commands on the server. big, scary hole. more about that here.
the patch is simple, and right now i’m about to upload it to all the copies of MT running on all the surreallys, then i’ll put up instructions outlining the very simple template changes that will be needed, i’ll link that up when it’s done, i just wanted to get the word out on the patch.
those of you who aren’t using HTML in your comments don’t need to worry.
I’m so sorry. That sucks so bad. At least there is a fix. Can’t a girl enjoy something without someone mucking it up?
hm, this sucks!
does that thingie work for all MT versions?
Did you ever know that you’re my hero?
Bloggin’ Lovefest This is a more difficult post to write than I thought it would be. Hmmm, where to
yes, it does. i forgot to mention, this applies mainly to sites that use PHP, JSP, ASP, or SSI (server side includes) — pages with HTML extensions on them are less vulnerable, but it’s never a bad idea to have something that cleans out the undesirable code from the comment box.
i’m going to put it on all the surreally blogs just to be on the safe side. it also cleans up unclosed tags, so when people forget to but in that </b>, it doesn’t screw up the whole page after that.
ok, thanks for clearing that… =)
I knew there was a reason I didn’t allow html in my comments. sigh.
Man, that sucks! I added that to my site ages ago — but I didn’t know someone had actually been hit with it. I’m sorry! :-\
yeah, i really should pay more attention to these things. it’s very creepy finding evil bots on your own servers.
unless i’m missing something this doesn’t apply to asp…Response.Write’ing something which contains tags doesn’t seem to have the same effect…although i did only spend about 30 seconds looking at it…
anyway, if your running on asp i have a couple of vbs functions (functions, not mt plugins) which strip html tags out of a string, either all tags or everything except a list of allowed tags (like B I STRIKE A etc for comments) and as a side effect i hadn’t even thought about they do rip out tags as well. if anyone wants them email me
bah you’ll just have to imagine the asp server side code percent tags at a couple of key places in my last comment.
Geekspeak geekspeak!!! Warning Wil Robinson Warning Wil Robinson!!!
Okay, KD, now for those of us who do NOT speak Geekesse, THANKS for finding that. I guess until you have the patch in place and let us know, I will disable HTML on my comments.
ARGH. I wasn’t planning to do THAT this morning while I drank my coffee, but now I guess I’m going to be patching, eh?
kd, you rock for making the announcement. Thank you!!
hi kd–am i understanding you correctly that if your comments pages have html extensions then they are ‘less vulnerable’ than if they have php extensions? thanks for sharing this, btw.
I think I told you on a previous post that I wasn’t allowing HTML in my comments, so don’t worry about patching me. Well, guess what? Certain somebodys keep posting HTML to my comments, so I turned it on (just for a while…). Please don’t hate me. I need the patch almost as bad as I need a drink right now. I’ll make it up to you sometime, I swear!
in order to do any real damage on plain HTML pages, would take some mighty fancy javascript.
however, this is worth it, just to keep people from putting in weird style tags, or leaving tags open, and it gives you exact control over what you do allow. this is a good thing.
Y’know… I’d heard about this a while ago. Thanks for the reminder. ”
On on top of it, Rose.”