I don't really understand the security problem here--all it really shows is that by setting the form action to a specific server, you can post comments on someone's entries. But you can do that anyway, right?

I'm not sure if you're aware of this or not, since I'm using version 1.3 and haven't updated.

A friend of mine (hosted on a different domain on a completely different machine -- no relation whatsoever to mine) accidentally messed up the code for her comment popups, and copied the code from one of the MT blogs on my server (which is still using the default template) to fix it. However, she forgot to change the bits of the code that were specific to my server.

This didn't result in an error -- it resulted in her comments being posted in the appropriately-numbered posts on MY blog.

That distresses me quite a bit. There are a lot of ways you could abuse it. Is this something you're aware of that has been fixed in more recent versions?

Thanks much.