Security Issues

Any application has security issues of which you, the user, should be aware. Because Movable Type is a server-based application, you and your hosting provider should be aware of web server security issues due to running CGI scripts (not just Movable Type, but any CGI script). In addition, as someone who is publishing personal information readable by the entire world, you may be interested in blog security or the ability to create private blogs readable only by your close friends.

Web Server Security

As a web application, Movable Type is more vulnerable to security problems than is a desktop application. The system is a series of CGI scripts. When the web server executes CGI scripts, in most configurations they are executed as a non-privileged user on the system. That is, as a user who does not have privileges to write to files in your home directory, where your web-accessible files are stored. Because Movable Type needs to write files into your directories to publish your blog, you must make some of your files and directories world-writable. This is a security risk on a shared server. The web server user can now write files to your directories but so can any other user on the system! This is a real problem, because most hosting servers are shared between many users.

To prevent this security hole, many providers have installed cgiwrap and/or suexec. These systems both use the same technique: instead of running CGI scripts as the web server, they run the CGI scripts ...

Get Essential Blogging now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.