Maybe you noticed, maybe not, the site got defaced yesterday for couple of hours. Terrible, isn’t it? Actually, not very much.

The old boring index files had been replaced by a fancy-Turkish-something for a little while, that's all what happened. A rumour has it that especially the tune played by the replacement site was nice. By now you probably wonder what the hell happened. Guess what, turns out the Movable Type 3.33 has some minor (yet, as you can see sufficient) vulnerabilities, which served the very purpose of defacing the blog. And guess what, the version 3.34, where all these identified flaws are fixed, released Jan 17, didn't make it to the blog yet.

But. In case any harm was done to the data, I would have it back again from an off-site backup in no time. And now, the administrative interface is accessible only from trusted IPs — learn something every day, they say.

Lessons learned: 1) patching the software immediately after patches are released (following the change management procedure though) usually pays off; 2) having an off-site up-to-date backup of all sensitive information buys you peace of mind (for a fairly low price); 3) it's always good to separate administrative interface from the publicly available content — the lower level the separation is done on, the more bulletproof the solution is.

And as a bonus, some problems with user input sanitation in a contact form code (not part of MT) found.