This is more or less a design and cross-site-scripting issue: The login page should be a standalone page and not modifyable within the skins of a blog. Everybody with proper knowledge in DHTML, Javascript is able to logout a user and maybe forcing a subscriber to relogin on the modified blog. Redirect the username and password to another server and redirect it back to antville. If the login-page (template, snippet) is not changeable, it would be no problem at all within the login-skin. It is still possible within all skins to login, logout, and redirect, but it should not be possible within the login-skin.

In this case antville needs to step back to a central sign-on that is trustworthy.

Solution: skins/edit?proto=membermgr&name=login should be not modifyable within a blogs skin.

My point of view is, the login-procedure should be somewhat trusted and not changeable/accessable within a users skin.

Suggested workaround: never ever login on another blog. If you don't have a blog, thats mmhhh say: bad luck - or a lesson in trust - you can use mine. (o;