5) it appears that CGI parameters aren't being untainted anywhere, at all -- the reality is that this may not actually be an issue in an MT context, but it is disconcerting all the same 6) the $CGI::POST_MAX variable is not set for file uploads which means that a cgiwrap-less Movable Type can, potentially, be used as a DoS tool -- to be clear, this problem exists for any and all CGI (wrap-less) scripts; it's just that MT does it out of the box 7) MT is hard-coded to prevent you from updating an already uploaded file 8) there isn't much in the way of validation for email addresses and URIs in the comments form. Now, lest you think I'm just being an asshole and picking on people who've generously donated their time and code to the general public I assure you that I wouldn't have spent as much time as I have on MT if I didn't think it was an otherwise excellent piece of work. But some of these bugs are the kind of thing that no amount of feeping creaturitis or ease of use should ever trump. You can dress it up in a pretty package and try to make it "simple" for "average" users to setup but, and this is not directed at the clever people who've written MT, it doesn't change the simple fact that this computer stuff is hard and complicated and fraught with pitfalls. Where possible I have sent the developers possible fixes, or workarounds. Whether they care to listen to anything I have to say after everything that's been said to date remains to be seen...