Here's a strange one. I'm using WPMU 1.2.5a still. Yes, I know.
I was pretty sure that I'd blocked off user registration and if I go into the Edit page of my main WPMU domain blog, the "Users can register" field is empty. If I try to change it, WPMU informs me that that field has a value of 0, so it sounds to me like users cannot register.
Wrong. Today, an IP that has never been to my site before hit me 10 times with urls like this:
http://johndoe.my-wpmu-domain.com/wp-activate.php?key=cxasdljldf2334d4
Where 'johndoe' and the key value were different every time.
In each case, a user and blog were created in one shot.
After making sure I had logs of everything, I banned the IP, deleted the users, blogs, wp-activate.php and wp-signup.php (I don't need them anyway, for now).
Now, I can imagine the guy/bot having used a different IP to discover my WPMU install, but what's required to generate working keys out of the box like that?
Is it as simple as going into the WPMU code and finding the key generating algorithm? I can't believe that because then I could do what he did here above but use the same key for any WPMU install I decided to hack, and it would work in each case. Massive security hole.
Thoughts?
Jacob