Be Secure

Elise Bauer and Arvind Satyanarayan have a
short tutorial
on using CGIWrap or suEXEC on *NIX/Apache
MovableType installations. If you are using MT as your content
management system and aren’t already using CGIWrap or suEXEC
you should read this article. This, of course, assumes that
your host has CGIWrap or suEXEC installed (MT installs a
utility called mt-check.cgi that, inter alia, tests
for this so you can check before proceeding).

The article also recommends, if you aren’t doing dynamic
publishing, to set permissions on mt.cfg and mt-db-pass.cgi to
600 (e.g., chmod 600 mt.cfg) to protect it from
intrusion. In addition, they suggest setting a .htaccess file
in the same directory as mt.cfg with parameters to restrict
access (see the article for the specific code).

Given the problems I’ve had with comment spammers, these are
good recommendations. One thing they don’t mention, but I
recommend, is to close comments on individual articles after a
period of time. I don’t know why, but spammers love to hit
posts that a older than a couple of weeks. If you routinely
close comments after, say eight to 10 days, you can stop them
in their tracks.

But remember, you have to make these changes. If you think
no one would try to hack your site, think about this. Before
the authors of the tutorial actually did the things they
recommended, a spammer was able to access their index template
and modify it to show a pop-up add to everyone who viewed their
site. So, not only can it happen, it
already has
. And according to a follow-up at their site,
the exploit involves not only MT sites but also WordPress and
perhaps others. The bottom line for the exploit seems to be set
your permissions to 600 on mt.cfg and mt-db-pass.cfg.


One response to “Be Secure

  1. Hi Dan,
    I think the more likely cause of the attack on my site was not on the index templates but on a lot of the file pages whose permissions were set to 666 (because I hadn’t uncommented the Umask settings). I had several templates linked to files. Once those files were changed, the template would change when I rebuilt them. I’m not certain, of course, but this seems to be most likely. That said, I discovered in the process that my site was still vulnerable to having its db password and username revealed by a simple php script that anyone else on my shared server could have run. The way to protect against such a script was to set tighter permissions on the mt.cfg and db-pass.cgi files.

    Regarding comment spam, I’ve listed a bunch of things one can do at the following tutorial which you might find helpful: