Ted Leung on the air
Ted Leung on the air: Open Source, Java, Python, and ...
Sat, 21 Feb 2004
pyblosxom comment spam fix
If you are using the pyblosxom comments plugin, you should update to the latest version from CVS (or you can download it from my home page. There's a new comment spam program running around that tries to exploit weaknesses in comment systems and use it to send e-mail on its behalf.

In the case of pyblosxom, the attack works if you have SMTP notification of comments turned on. If you have comment notification turned on, the attacking program injects the commands for a complete SMTP transaction into the fields for the comment form. The way that Python's smtplib works is to jam text into the SMTP connection. So if the body of the comment happens to look like this: 

blasterattacko@aol.com
To: blasterattacko@aol.com
From: blasterattacko@aol.com
Subject: PyC(5D9A983C,url)dlq9F

UeFb8RE4XhzEn6 9dwVwadJWbqLXc2EjtIcmkc9Q7f1aeAnNqR

.
the entire thing gets sent to the SMTP connection as the body of the e-mail.

The updated plugin wraps To: From: and Subject: in the comment body in html tags, so a comment that has that data in it will still display, but will be illegal as SMTP commands.

[22:38] | [computers/internet/weblogs/pyblosxom] | # | TB | F | G | 0 Comments | Other blogs commenting on this post
You can subscribe to an RSS feed of the comments for this blog: RSS Feed for comments

Add a comment here:

You can use some HTML tags in the comment text:
To insert a URI, just type it -- no need to write an anchor tag.
Allowable html tags are: <a href>, <em>, <i>, <b>, <blockquote>, <br/>, <p>, <code>, <pre>, <cite>, <sub> and <sup>.

You can also use some Wiki style:
URI => [uri title]
<em> => _emphasized text_
<b> => *bold text*
Ordered list => consecutive lines starting spaces and an asterisk

Name:


E-mail:


URL:


Comment:


Remember my info?


twl JPG

About

Ted Leung FOAF Explorer

I work at the Open Source Applications Foundation (OSAF).
The opinions expressed here are entirely my own, not those of my employer.

Creative Commons License
This work is licensed under a Creative Commons License.

Now available!
Professional XML Development with Apache Tools : Xerces, Xalan, FOP, Cocoon, Axis, Xindice
Technorati Profile
PGP Key Fingerprint
My del.icio.us Bookmarks
My Flickr Photos


Syndicate
RSS 2.0 xml GIF
Comments (RSS 2.0) xml GIF
Atom 0.3 feed
Feedburner'ed RSS feed

< February 2004 >
SuMoTuWeThFrSa
1 2 3 4 5 6 7
8 91011121314
15161718192021
22232425262728
29      

Archives
2006
2005
2004
2003

Articles
Macintosh Tips and Tricks

Search
Lucene
Blogs nearby
geourl PNG

Categories
/ (1567)
  books/ (33)
  computers/ (62)
    hardware/ (15)
    internet/ (58)
      mail/ (11)
      microcontent/ (58)
      weblogs/ (174)
        pyblosxom/ (36)
      www/ (25)
    open_source/ (145)
      asf/ (53)
      osaf/ (32)
        chandler/ (35)
        cosmo/ (1)
    operating_systems/ (16)
      linux/ (9)
        debian/ (15)
        ubuntu/ (2)
      macosx/ (101)
        tips/ (25)
      windows_xp/ (4)
    programming/ (156)
      clr/ (1)
      dotnet/ (13)
      java/ (71)
        eclipse/ (22)
      lisp/ (34)
      python/ (86)
      smalltalk/ (4)
      xml/ (18)
    research/ (1)
    security/ (4)
    wireless/ (1)
  culture/ (10)
    film/ (8)
    music/ (6)
  education/ (13)
  family/ (17)
  gadgets/ (24)
  misc/ (47)
  people/ (18)
  photography/ (25)
    pictures/ (12)
  places/ (3)
    us/ (0)
      wa/ (2)
        bainbridge_island/ (17)
        seattle/ (13)
  skating/ (6)
  society/ (20)



[Valid RSS]

del.icio.us linkblog
» Change the default JDK for NB 6.x - Randy's Stuph / netbeans osx
» Digital Photography One On One E011 - Lighting Setups ยป StudioLighting.net / photography lighting strobist
» Alex Payne | How I Use TextMate / tools osx
» ack -- better than grep, a power search tool for programmers / tools osx
» Generic inlines and Django history / python django
» Magit User Manual / git vcs emacs
» HTTP Client - Mac Developer Tool for HTTP Debugging / tools osx
» The Ars Technica Ultimate Road Warrior Guide: Page 1 / tools life travel
» tap tap tap ~ 10 useful iPhone tips & tricks / iphone
» Financial Realities of the App Store | None | AppCubby / iphone business
» Empty Thoughts: GitPython / git vcs python
» Prolog Cafe: A Prolog to Java Translator System / java programming prolog
» virtualenvwrapper - virtualenv wrapper functions / python/iterators
» Create a git repository of a svn source tree using git-svn - Blog Haypo / git vcs subversion
» After Credentials / education
RSS
www.flickr.com

Blogroll

java.blogs
Listed on BlogShares

Locations of visitors to this page
Where are visitors to this page?

pyblosxom GIF