Bad Behavior 1.0.1

Bad Behavior Bad Behaviour

See also the permanent page.

Security Update: All Bad Behavior users should update to version 1.0.1 immediately to prevent malicious code execution on your Web server.

A security issue has been identified in Bad Behavior 1.0 whereby an attacker can execute arbitrary PHP code. While this issue only affects a small percentage of Web hosts, I have released an immediate fix for this issue. You are affected if your Web host has the PHP initialization values register_globals on and allow_url_fopen on. If allow_url_fopen is off, but register_globals is on, then the attack can only be carried out by someone with local access to the same server. If register_globals is off, you are not vulnerable.

Bad Behavior 1.0.1 also includes a fix to allow receipt of trackbacks from Movable Type blogs. In 1.0, accesses by Movable Type were blocked because Movable Type uses exactly the same software to send HTTP requests that many spammers use. A fix has been placed in version 1.0.1 to allow sites to receive trackbacks and trackback auto-discovery. Please note, however, that while I have tried to make this fix narrowly apply only to Movable Type, this could make your site somewhat more vulnerable to certain spammers. As usual, I recommend defense in depth, and that means using more than one anti-spam solution.