Hey guys -
I recently upgraded to MT4.23. Around the same time, my host decided to upgrade and or switch its MySQL databases. So I got assigned to a new MySQL server, which caused some issues that the host had supposedly worked out.
I went to change my site template (just to update the copyright year, actually), and found that I couldn't edit the Template files in my Admin section due to cross site scripting security issues, which are probably related to the move of my MySQL database.
I have checked the mt-config file, and I've tried my links both with and without the www., but no configuration is allowing me to edit these templates.
Here's my mt-config.cgi info:
#======== REQUIRED SETTINGS ==========
CGIPath http://itinerantangler.com/cgi-bin/mt
StaticWebPath http://itinerantangler.com/podcasts
StaticFilePath /data/2/0/147/156/147971/user/149790/htdocs/podcasts
#======== DATABASE SETTINGS ==========
ObjectDriver DBI::mysql
Database *********
DBUser *******
DBPassword *********
DBHost mysqlv2
[I've blocked out the database, DBUser, and DBPassword info, but they're correct].
I am not savvy at all when it comes to manipulating MySQL databases. I do have access, however. Could someone talk me through what to look for to see if the database entries for the mt-config file are pointing to the OLD MySQL server for some reason?
Alternatively, is there a way to manipulate the templates without using the built-in MT admin screens? I really could care less if I changed these dates via the MT-approved method; editing html files works fine everywhere else on the site.
Thanks a lot,
Zach
Reported on Movable Type 4.2
Are you logging into the MT console with http://itinerantangler.com/cgi-bin/mt or http://www.itinerantangler.com/cgi-bin/mt
With the www., but as I mentioned, I tried it both ways in my mt-config.cgi file and it made no difference either way.
Zach
Here's the thing. Your database should have no bearing on this. You're not supposed to publish your blog into StaticWebPath. That is part of the core Movable Type installation and you risk overwriting certain files that Movable Type depends on like its internal mt.js file which is separate from the mt.js that the standard templates build. In your case that doesn't **seem** to be the case, but you really should upload a fresh mt-static director to your host and change the StaticWebPath to point to it rather than the directory, /podcasts, where you publish your blog.
So, I would upload a new copy of mt-static, make that change to mt-config.cgi and see if that doesn't clear it up. Also, make sure that you log into the CGI app using the same domain as you have there. Your configuration there is, in principle, good, but even if you fix it by reuploading mt-static and changing those settings, if you log into the admin console from the wrong URL you are guaranteed to get the XSS errors.
Mike -
Thank you for your help, first of all.
I did as you suggested and moved an mt-static directory to the /cgi-bin. I am able to log in to my admin page, but it cannot access the .css file to give that page shape (it's a bunch of blue links).
I made sure to upload in ASCII mode and I've attempted to CHMOD everything to 777 (wide open) but it isn't giving me back CSS. When I pull up the actual main.css file referenced in the admin's page, I get a 505 server error.
I'm thinking that I ran into this before and that's why my /mt-static/ directory was located down in /htdocs/ (not in /cgi-bin/).
Am I doing something wrong, or am I stuck with having mt-static down in the /htdocs/ files? Why would this problem start now when I have had the same configuration for years (if not from my host moving the database servers)?
Zach
Ok, wait, I think I understand what you were saying now. I had been pointing to an /mt-static/ directory within my podcasts directory (which is where the main blog stuff is posted). I re-directed the mt-config.cgi file to an /mt-static/ directory under my main directory tree (/htdocs/ NOT /cgi-bin/, which is what I thought you were saying).
That gets me CSS back and I can once again navigate the system. However, unfortunately, I'm back where I started in that I still get a grayed-out box when I try to edit my templates. I presume this is still an XSS error? Any ideas?
Zach
I found a partial solution. I still don't know what is going on on my server, but if I run Firefox with the NoScripts add-on, it blocks whatever XSS issue I'm having and allows me to edit my templates.
Zach
Ok, I am kind of talking to myself here, but for what it's worth, the NoScript add-on is reporting that it's blocking 'googleapis.com,' which seems to be a legitimate website. I have no idea what is wrong at this point but it actually sounds like a bug worth looking into.
What plugins do you have? Googleapis is not referenced from any standard MT admin console template that I know of. If you have Zemanta installed, I would recommend disabling that.
I only have five plugins running and they all appear to be MT plugins:
MultiBlog 2.0
TypePad Anti-Spam 1.0
SpamLookup - Lookups 2.11
SpamLookup - Link 2.11
SpamLookup - Keyword Filter 2.1
I did comb through the source code of the admin page where I am getting the XSS error; it does appear to reference www.google.com in one of the javascripts at one point, but I don't know enough about either java or XSS to know if that would be causing the issue.
Zach