It's all fun and games until someone loses an eye...
Take a quick look at your link list. Run your mouse over the list and look at the URL (Uniform Resourse Locator) in the status bar at the bottom of your browser. You'll probably find a mixture of URL types. Some of the links will be displayed as http://www.domain.com and others will display a subfolder (http://www.domain.com/blog). Look at your own site. Do you have your blog in your main site folder or do you have it in a subfolder?
What is the blogging tool that you use? Do you use Movable Type or Blogger? There are many blogging tools available and some work differently than others. And these tools interact with your web space in different ways.
If you use Blogger, you have the choice of using Blogspot or your own site to post your entries. When you choose Blogspot, you are basically posting your entries to your directory on their server. This is usually transparent to the user and works well. If you choose to use your own server, you have the option of transferring the pages to any location within your site. Note the word "transfer." The pages are created on the Blogger server (probably in a temp folder) and transferred to your server using FTP (file transfer protocol). You will have to provide your username and password in order to make this work. Hopefully, those who post to the main folder of the site have a setup like this. This is secure because the pages are *written* on the Blogger server and *transferred* to yours (using a username and password). This is a very important point.
If you are using Movable Type (or something similar), it works differently. If a friend installed it for you, you may not know what is involved in the process. If you installed it yourself, you still may not realize the implications of what you were doing. During the install, you installed the Movable Type program. The entire process now occurs on your server. The permissions required to run MT are safe. You must use a username/password combination to access the program. Now create a blog. Follow the instructions.
The way the MT program works, it uses the data from the entries and the templates to create a file (which is your page). The program writes the file to the folder you have chosen to put your blog. Notice I said "writes" and not "transfers." In order for MT to work properly, you must change the permissions on the folder where you want your blog to be displayed. The permissions on the folder must be set to 777. This is why people who use MT place their blog in a subfolder of their site. These permissions give "everyone" permission to write to that folder.
There are three types of permissions - read, write and execute. You have to give the "everyone" group (represented by the far right number) read permission to view your site. Usually, you'll give them execute permission too. This enables scripts that you put on your website to run for anyone visiting the site. The dangerous permission is the "write" permission. This allows people to write to your site. You want this to happen when someone makes a comment. You don't want this to happen when someone wants to overwrite your website.
As you can see, putting these permissions on a subfolder is one thing. It's an acceptable risk. If anything happens in that one little folder, it won't affect the whole site. And if someone did take the time and effort to deface your site in that folder, you could simply hit rebuild and recreate all the files (overwriting their files). The data and templates are stored in a separate folder.
You don't want to give those permissions to your entire site.
Go back and read that last line until it sinks in... Don't give 777 permissions to your entire web site. Use a subfolder. It's less risky. (And limits the area for potential damage.)
How easy is it to write to someone's site like that? All it takes is time and a browser (and a little malicious intent). Look at the address bar on your browser. You use it for putting in a web address and going to a site. Malicious users could easily put in an address along with some code and that code will put the page of their choice on your web site (or deface the site).
Don't give everyone permission to write to your entire site.
Posted by BlueWolf on August 10, 2002 09:38 AM