4.2 Beta
Start Topic
default userpic

Security loophole - blog administrator

By Nigel Hathaway on Jun 14, 2008 at 2:00 AM 1 Vote 0 Votes

Moveable Type has a logical security hierarchy: the system administrator has permissions to change things on a system level and a blog administrator has permissions to change things on a blog level.

Nearly...

A blog administrator can change the local directory on the web server machine where his blog is published to. So he could (accidentally, of course) change it some other part of the web server hierarchy, trashing someone else's blog, for example.

Surely setting the local directory for a blog is a system administrator task?

1 Reply

| Add a Reply

Add a Reply

Forum Groups

9 17

Last Topic: Some questions raised after reading Hacking Movable Type by rxmatt on Oct 10, 2008

78 269

Last Topic: Lost database - How to recover from 3.2 created PHP files ? by taurianthebull on Nov 3, 2008

106 356

Last Topic: Scrollbar missing - Fixed positions by aliceaddict on Nov 9, 2008

6 13

Last Topic: HOWTO: Define custom plugin settings by Byrne Reese on Nov 3, 2008

151 405

Last Topic: MT Interface Missing by Sherri on Nov 10, 2008

36 144

Last Topic: Installation can't finish by Drazend on Nov 10, 2008

34 93

Last Topic: Creating your own Plug-in by jondauz on Nov 5, 2008

8 26

Last Topic: Manage Assets causes Internal Server Error by NYCFit on Oct 8, 2008

10 33

Last Topic: new licensing confusion by Neil Epstein on Aug 14, 2008

9 38

Last Topic: MT module for authentication with JA-SIG CAS by Subhashish on Oct 25, 2008

code.sixapart.com

62 226

Last Topic: Callback after blog publishing. by Tomato Interactive on Oct 27, 2008

34 98

Last Topic: Ajax Rating Plugin by kiran on Oct 17, 2008