The same warning also applies to mt-upgrade.cgi, if you've upgraded, per the manual:
"After running mt-upgrade.cgi, you should remove mt-upgrade.cgi from the directory where you installed Movable Type. Failure to remove mt-upgrade.cgi could enable someone else to rerun the upgrade script, causing havoc in your Movable Type installation. FAILURE TO DELETE mt-upgrade.cgi INTRODUCES A MAJOR SECURITY RISK. So you should delete it now."
Full Version: Deleting mt-load.cgi
Btw, for those of you who can't bear to delete anything but rather move (or rename) the file ... don't forget to change the privs. e.g.
Not nearly as secure as deleting the sucker, but at least is less exposed.
Of course, it helps a bit more if you've moved program into your cgi-bin directory (or a path therein).
CODE
mv mt-load.cgi somethingelse.old
chmod 400 somethingelse.old
chmod 400 somethingelse.old
Not nearly as secure as deleting the sucker, but at least is less exposed.
Of course, it helps a bit more if you've moved program into your cgi-bin directory (or a path therein).
It was also posted on the homepage (www.movabletype.org). A mailing list (announce-only) might be nice, and actually we do have one, but it's for new release announcements.
i think i have a solution for the mt-load.cgi hole:
it involves checking for the existence of Melody as an author and going on to check for mt-load.cgi depending on whether the 1st condition was met.
if both are true then the login is disallowed regardless of author and password matching.
this check will have to be done every time someone tries to login... even with a different author name.
sure it'll slow the login process down but not by much. true?
i hope ben or mena notice this
it involves checking for the existence of Melody as an author and going on to check for mt-load.cgi depending on whether the 1st condition was met.
if both are true then the login is disallowed regardless of author and password matching.
this check will have to be done every time someone tries to login... even with a different author name.
sure it'll slow the login process down but not by much. true?
i hope ben or mena notice this
All--
It is OF THE UTMOST IMPORTANCE that you remove mt-load.cgi after you run it the first time. If you did not delete mt-load.cgi when you installed MT, DO IT NOW.
There is a hacker (or a group of hackers) hacking MT sites by running mt-load.cgi to gain access to the system. You are not vulnerable to this if you deleted mt-load.cgi.
As the installation instructions say, and as mt-load.cgi itself says, you must remove mt-load.cgi from your server after you run it to prevent this security hole.
So, do it now, if you haven't done so already.
It is OF THE UTMOST IMPORTANCE that you remove mt-load.cgi after you run it the first time. If you did not delete mt-load.cgi when you installed MT, DO IT NOW.
There is a hacker (or a group of hackers) hacking MT sites by running mt-load.cgi to gain access to the system. You are not vulnerable to this if you deleted mt-load.cgi.
As the installation instructions say, and as mt-load.cgi itself says, you must remove mt-load.cgi from your server after you run it to prevent this security hole.
So, do it now, if you haven't done so already.
Yes, good point (although the security issue with mt-upgrade.cgi is not nearly as bad as with mt-load.cgi).
Also, an UPDATE: I've written a script that will let you regain access to your blog. Email me (use the button below) if you have been hacked in this manner, and I'll send you the script.
Also, an UPDATE: I've written a script that will let you regain access to your blog. Email me (use the button below) if you have been hacked in this manner, and I'll send you the script.
Wouldn't it be nice to have these kind of important announcements emailed automatically to all MT-owners?
I just happened to pass by the forum today after a long pause and was lucky to catch this announcement before being hacked (to pieces) myself.
Is there a mailing list I can sign up for these kind of alerts?
I just happened to pass by the forum today after a long pause and was lucky to catch this announcement before being hacked (to pieces) myself.
Is there a mailing list I can sign up for these kind of alerts?
I think it'd be cool if we had an XML-PRC based (or IFRAME based) news ticker directly on the MT app interface. Some people might not like the fact that their MT "phones home" all the time, but I think it's a sensible thing to have.
This way, all essential updates would immediately reach the user. Ben/Mena will just have to post it once, and everyone automatically gets the message.
This way, all essential updates would immediately reach the user. Ben/Mena will just have to post it once, and everyone automatically gets the message.
What is the danger about mt-upgrade.cgi ? I've executed it two times, I'am in danger?
Thanks
Thanks
QUOTE
Some people might not like the fact that their MT "phones home" all the time, but I think it's a sensible thing to have.
I agree, and you could always have an option to disable it from the client side.
I created a code snippet for an e-commerce shopping cart that we released. The code would "phone home" to our server and read a text file containing the current stable release. If the user was up-to-date with their code, a green traffic light would be displayed. If a minor update or bug fix was available, a yellow light. And if the user was more than a few revisions behind, a red traffic light would appear. If the user didn't want to know about updates in this manner, he/she could disable that function.
So, taking what Arnab Nandi said above, the option to turn it off is the key, and the documentation should clearly state that it's an option that can be disabled. The way I look at it, if you tell the user up front what you're doing, and let them decide if they actually want you to do it, the user will have no reason to be mad...
Alternatively, how about getting mt-load.cgi and mt-upgrade.cgi to rename/move themselves away, changing their own permissions from 755 to 700 and displaying the results in the output?
The names should be randomized based on the machine/domain or something. I know that that still introduces a problem with security, but at least it does leave the MT team with less 'liability' as such?
Regards
Stefan
The names should be randomized based on the machine/domain or something. I know that that still introduces a problem with security, but at least it does leave the MT team with less 'liability' as such?
Regards
Stefan
Actually, since 2.2 (I think) mt-load.cgi has been made safe--if it detects data in the database, it will not reinitialize the database.
The other issue about renaming the file is that there is a permissions issue (the same permissions issue that makes it impossible to delete mt-load.cgi).
The other issue about renaming the file is that there is a permissions issue (the same permissions issue that makes it impossible to delete mt-load.cgi).
Hi, I'm looking for a free website host that supports CGI so that I can use movabletype. Haven't find any yet. 
Does any one knows a good one. That will help me a lot. Thanks, everybody. 
Does any one knows a good one. That will help me a lot. Thanks, everybody.
I don't think anyone would mind you sending out information about a security issue on the upgrade announcement mailing list.
QUOTE
Hi, I'm looking for a free website host that supports CGI so that I can use movabletype. Haven't find any yet. :( Does any one knows a good one. That will help me a lot. Thanks, everybody. :) :)
Clawz.com supports Moveable Type.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.