The "Email this to a friend" functionality in the mt-send-entry.cgi script is vulnerable to being used by spammers to send spam messages. In principle, all "email this to a friend" programs are vulnerable to being used by spammers, because they allow the user to specify a To: address and a message body. But in practice, MT's implementation of this is not as robust as it should be, and a new version is available below.
This fix is already included in all versions of MT 2.64 downloaded from today on.
If you're not using this functionality at all, we recommend that you simply remove mt-send-entry.cgi from your MT directory. MT doesn't have any hooks to use this script by default anyway, so you won't be breaking your MT installation.
If you are using this functionality on your MT weblog, you should download this package with a new version of mt-send-entry.cgi, unzip it, and replace the version of mt-send-entry.cgi on your server. The new version:
- fixes a vulnerability that allows spammers to inject extra headers into messages;
- removes the ability to send the message to multiple recipients;
- restricts the message to 250 characters.
All of these fixes serve to discourage the script being used by spammers.