Co-authored by Arvind Satyanarayan and Elise Bauer Tutorial cross posted on Movalog and Learning Movable Type

The installation instructions in the Movable Type Install Guide contain a section in the Configuration area called Enable Security Features. These instructions tell you to uncomment the Umask lines in your mt.cfg if your server is running cgiwrap or suexec. If you don't know what CGIwrap or suEXEC are, you may be tempted to skip this step. Don't. This step gives your MT installation extra security, which we will explain. (Note that this tutorial is only appropriate for MT installations on Linux/Apache web servers.)

What is CGIWrap or suEXEC?

CGIWrap and suEXEC are features...

continue reading ...

Greg Reinacker of NewsGator has as smart post about security in XML feeds where he makes a strong argument for reusing prior art:

My advice for now? Don't worry about it. RSS today is transported via HTTP. Sure, you could use other protocols - but almost no one does. This same argument came up some time ago about SOAP web services...a lot of work went into making sure everything was portable enough to deliver SOAP messages through any arbitrary transport. But in real life? Almost no one is doing it.

We don't need more protocols. We don't need yet another encryption standard. We don't need yet another authentication mechanism. Use what works today - it's proven itself already.

It's a compelling argument,...

continue reading ...

Lesson learned: remove, don't rename.

Don't ever rely on security through obscurity, they say.

You know, they might just be right.

I'm giving TSEP a try to replace the limited Movable Type search box currently driving this site. Not only is it picking up all sorts of old archived files I had completely forgotten about, my heart absolutely sunk as I realized I had turned on PHP parsing just before it ran across an archived file that runs this little snippet of code: $queryWipe = "DROP TABLE IF EXISTS submissions"; $queryCreate = "CREATE TABLE submissions ( submissions_id mediumint(8) NOT NULL auto_increment, name varchar(48) NOT NULL default '', email...

continue reading ...

Joe Gregorio's posted a new article on XML.com, called Secure RSS Syndication, and the story covers just what the title suggests. Using a regular XML feed, some Greasemonkey magic, and a private key, Joe's able to syndicate data without his aggregation service being able to read it. Cool stuff.

Trackbacks:

Previous Entry: Macromedia Blog Authoring Survey

Next Entry: TypePad Booster Package for Power Blogging

continue reading ...

According to Six Apart, "version 3.15 fixes a vulnerability in the mail sending packages for all Movable Type versions which allows malicious users to send email through the application to any number of arbitrary users." There is also a plugin that fixes this problem if you don't want to update right away. All users should upgrade to this version or install the plugin! More details here. Have you found the tutorials at Learning Movable Type helpful? Please consider linking to LMT at http://www.learningmovabletype.com/ . Thanks!

Posted by elise on January 24, 2005 to Announcements | Email to a friend | Printer-friendly version

Email to a friend

Email this article...

continue reading ...

Co-authored by Elise Bauer and Arvind Satyanarayan. Tutorial cross posted on Movalog and Learning Movable Type

The installation instructions in the Movable Type Install Guide contain a section in the Configuration area called Enable Security Features. These instructions tell you to uncomment the Umask lines in your mt.cfg if your server is running cgiwrap or suexec. If you don't know what CGIwrap or suEXEC are, you may be tempted to skip this step. Don't. This step gives your MT installation extra security, which we will explain. (Note that this tutorial is only appropriate for MT installations on Linux/Apache web servers.)

What is CGIWrap or suEXEC?

CGIWrap and suEXEC are features...

continue reading ...

Updated 12:30 am PST, Oct 4

Wednesday morning, September 29th, Learning Movable Type and some of the other MT weblogs hosted at elise.com were intruded by a spammer who placed popup generating code on the MT index and archive templates. Not being aware of the additional code on my templates, as I rebuilt the pages of my weblogs, the rebuilt pages included this code which generated an obnoxious spam popup window every time someone visited the page. I apologize to all who may have been inconvenienced by this, and thank those of you who brought it to my attention.

The good news is that the spammer could have done a lot of damage to the site, but didn't. The bad news is I'm not sure...

continue reading ...

Page: 1 2 2 Pages.

Newsgator Toolkit

Although not directly related to Movable Type, many bloggers I know have been asking for such a tool. The Newsgator Toolkit is an extension for Mozilla Firefox that will eventually provide you with a series of complex and powerful tools...

Continue reading "Newsgator Toolkit"

Posted on 10/13/2005 | Permalink | Comments (0)

Updates to the Style Generator

At long last I've made some updates to the Style Generator to better fit with Six Apart's standard. This means that you can finally apply the tips discussed in this tutorial to stylesheets created using the style gen. Most of...

Continue reading "Updates to the Style Generator"...

continue reading ...

Installing Movable Type with FTP

Problem

You want to install the Movable Type software using FTP.

Solution

Download an FTP application, uncompress the software onto your desktop and take care of any necessary configuration before uploading.

Discussion

• An FTP (file transfer protocol) program is used to send the files from your computer to your server. If you don't yet have an FTP program, there are many available for free. SmartFTP is a good FTP program for Windows, and offers a free trial version. Transmit is a good FTP program for Mac users on OS X, and it has a free...

continue reading ...

One way to set up a private, password-protected weblog is by adding a .htaccess file to the directory in which the weblog resides. htaccess files can give you extra control over your server, allowing you to password protect directories, enable server side includes, generate custom error messages, and block users by IP address among other things. I've already described the fundamentals of .htaccess in another tutorial, see What is .htaccess? If you are setting up .htaccess for the first time, be sure to read this tutorial thoroughly.

1. Create .htpasswd

The first thing you need to do, before creating your .htaccess file, is to create a file called .htpasswd, which will hold the user...

continue reading ...

As broadband Internet connections become more ubiquitous, and more corporate sites begin to incorporate Flash and use it as their primary tool, there will be more of a need to incorporate e-commerce functionality into the Flash-based websites that you design. For the moment, this is uncommon, and I can propose two reasons why: • Most e-commerce developers have experience creating HTML-based sites, and the current crop of development tools (i.e. ASP, PHP, JSP, Cold Fusion) are specifically designed to spit out HTML pages. • Many people still use dial-up modems. So, to provide easy, quick access to the largest number of customers possible, simple HTML sites are almost always the way to go....

continue reading ...

02.28.2005

TypePad UK Launches

We're proud to announce today that TypePad has launched in the UK. Though it was our least strenuous language translation ever, we're proud to have another country-specific offering to complement our current services in Belgium, France, Germany, Japan, The Netherlands, Spain, and The United States.

Posted by anildash in TypePad at 10:46 AM | Permalink | Trackback (0)

02.27.2005

Dreamforce, blogs for the Salesforce.com community

Salesforce.com is one of the most popular hosted business applications, with an active community of users and developers. One of the ways that they're keeping in touch with these diverse...

continue reading ...

During the comment spam crisis, before 3.14 was released, my host installed something called mod_security. I have noticed that ever since it was installed, the comment spam flood I normally experienced turned into a trickle. mod_security helps with a lot of things. It's good for helping block a lot of the script vulnerability attacks like cross-site scripting, bad PHP includes, etc so there's a good chance it will be installed on your host, if not ask them.

If you do have mod_security installed, I will guide you through setting it up such that it blocks of comment spam. What is the advantage of mod_security over MT-Blacklist? mod_security scans the comment before it hits MT-Blacklist or...

continue reading ...

Right after having bought Movable Type there were problems. Fact is that the installation description does not contain specific information for the Windows platform. Because of this, it took some time until I finally managed to make it work.

Looking back after having completed the installation successfully, it is not difficult. Until Six Apart gives better installation instructions for Windows users, maybe my description will help.

Introduction

The installation consists of the following parts • Installing the Perl runtime environment • Copying the Movable Type components • Configuration of some Movable Type files • Configuration of MS IIS • Creating the Movable Type Database

All screenshots can be...

continue reading ...

In light of the coverage that the Register's interview with a link spammer is getting, it's worth reviewing some of the host-level changes that can be made to protect against these attacks.

Foremost among the options is mod_security. You can follow the latest on this Apache module on the mod_security blog, which is powered by Movable Type and protected by mod_security. If you're new to the module, you can read over this useful introduction to mod_security.

For a more general look at how to protect yourself, you can take a look at Elise Bauer's tutorial as well as Ann Elisabeth's ongoing coverage of how spam is evolving.

If you want to implement mod_security yourself, a great way to...

continue reading ...

2.51 (2002.10.29)

• Added Windows right-click bookmarklet functionality, where you can use a Post to MT Blog right click option to open the bookmarklet. Thanks to Anil Dash for the code. • Added a generic <MTElse> tag, which can be used to supply an ``else'' condition to any conditional. Thanks to Brad Choate for the code. • Added an <$MTEntryPermalink$> tag, which does the right thing when displaying the link for an entry: if an individual archive, it is not followed by an anchor; otherwise, it is. • When rebuilding files, only rewrite the...

continue reading ...

Updated August 29, 2005. Originally posted in 2004.

Spammers have discovered bloggers and sooner or later if you allow comments or trackback pings on your weblog you will get spammed.

Blog spam appears in many flavors:

1) Basic comment spam. The spammer leaves a short uneventful message in a comment field in one of your entries. The spam comes from the URL placed in the comments URL field. These URLs link back to every conceivable scam. The spammers leave URLs here to create a link from your site to theirs, thus increasing their Google ranking. Spammers are also now linking to legitimate sites that have not cleared their pages of comment spam, thus increasing the Google rank...

continue reading ...

Update April 9, 2005: Brad Choate has released a new anti-spam plugin called SpamLookup. Jay Allen, the creator of MT-Blacklist recommends SpamLookup over MT-Blacklist.

Spammers have discovered Trackback and have recently been leaving their trail of unwelcome links all over the blogosphere. To get a sense of what we are up against, read The Register's interview with a link spammer. Listed here are some defensive measures you can take.

MT-Blacklist

As with comment spam, your first recourse is Jay Allen's MT-Blacklist. The blacklist will help you delete the trackbacks and ban the URLs the spammers leave. Note that if you are using MT2.661 and MT-Blacklist 1.65, Jay has special instructions for deleting trackback spam pings....

continue reading ...

Providing contact information on your weblog can be useful to your site visitors who may want to email you directly rather than submit a comment to one of your entries. You can choose to write out your email address, provide a mailto link (see MailTo Syntax for how to write out a mailto hyperlink), or you can provide a contact form. Contact forms are often preferred because they can easily hide your email address information from the spammers who regularly scour the web looking for email addresses to harvest.

I have researched and tested two free PHP-based contact form scripts - TheSiteWizard Feedback form and DodosMail - either of which you can easily implement to add a contact form...

continue reading ...

Updated again Monday night, midnight, Oct 4

This post is in reference to: Attacked!. I've posted the following update on that post and here.

One possible way that this attack could have happened is if someone else on my shared web server used a simple php script to read my database username and password. With this information, he or she could have accessed my MySQL database and made changes to the templates. I have sent a request to my web host to address how they handle PHP security. In particular, I was advised to suggest that my web host start using a PHP directive called "open_basedir" to restrict the files that PHP can open. The information on this directive can be found...

continue reading ...