Revision history for FileManagerHack


Revision [23133]

Last edited on 2016-05-20 07:38:46 by AdamM [Replaces old-style internal links with new pipe-split links.]
Additions:
I want a file manager, with upload, rename, move, directory support and so on. Once gently asked for that, google pointed me on a script called [[http://cker.name/webadmin/ | webadmin]]
~2) copy [[http://cker.name/webadmin/webadmin.php | webadmin.php]] in it
webadmin.php is able to get up to the site root, and also allow anyone to download (and read) wikka.config.php, with your database password in clear text in it. Guess what could happend... once the 3v1l H4cK3R has uploaded [[http://www.phpmyadmin.net/home_page/ | PHPMyAdmin]] to dump and modify your database...
According to some user feedback on wikka's crowded IRC channel (irc://irc.freenode.net/#wikka), the use of a file manager on a public site would be interesting for administrative purpose. It is not necessary to let every users uploading files (and actually it's more likelly a very bad idea to let unregistered / not trusted users upload anything). Restricting access to webadmin for administrative tasks is a piece of cake thanks to [[http://www.apache.org/ | apache]]'s .[[http://httpd.apache.org/docs-2.0/howto/auth.html | htaccess/.htpasswd]]. (What? you're running [[http://www.microsoft.com/iis | Microsoft IIS]]? oh so you don't even know what security is? ;o) )
this procedure is to run on a Unix/Linux system, I don't know how does it works on a windows server. I've heard of some .htpasswd generators online, google for that if you didn't yet switch to Linux or [[http://www.apple.com/macosx/features/unix/ | MacOs X]].
Deletions:
I want a file manager, with upload, rename, move, directory support and so on. Once gently asked for that, google pointed me on a script called [[http://cker.name/webadmin/ webadmin]]
~2) copy [[http://cker.name/webadmin/webadmin.php webadmin.php]] in it
webadmin.php is able to get up to the site root, and also allow anyone to download (and read) wikka.config.php, with your database password in clear text in it. Guess what could happend... once the 3v1l H4cK3R has uploaded [[http://www.phpmyadmin.net/home_page/ PHPMyAdmin]] to dump and modify your database...
According to some user feedback on wikka's crowded IRC channel (irc://irc.freenode.net/#wikka), the use of a file manager on a public site would be interesting for administrative purpose. It is not necessary to let every users uploading files (and actually it's more likelly a very bad idea to let unregistered / not trusted users upload anything). Restricting access to webadmin for administrative tasks is a piece of cake thanks to [[http://www.apache.org/ apache]]'s .[[http://httpd.apache.org/docs-2.0/howto/auth.html htaccess/.htpasswd]]. (What? you're running [[http://www.microsoft.com/iis Microsoft IIS]]? oh so you don't even know what security is? ;o) )
this procedure is to run on a Unix/Linux system, I don't know how does it works on a windows server. I've heard of some .htpasswd generators online, google for that if you didn't yet switch to Linux or [[http://www.apple.com/macosx/features/unix/ MacOs X]].


Revision [18944]

Edited on 2008-01-28 00:13:28 by AdamM [Modified links pointing to docs server]

No Differences

Revision [15234]

Edited on 2006-08-25 07:53:59 by AdamM [Modified links pointing to docs server]
Additions:
====File Manager====
//How to add file upload/management in wikka//

===Why===
I've setup a wikka site for my company in order to store the knoweldge base and allow every users to read/write doc without leaving their workstations to find an old doc in the company's archives.
My problem was quite simple, I need users to add screenshots in wiki pages. Letting them doing so by ftp would be a loss of time for them, they need something quick and simple. I also had less than 1hr to add this feature.

===What===
I want a file manager, with upload, rename, move, directory support and so on. Once gently asked for that, google pointed me on a script called [[http://cker.name/webadmin/ webadmin]]
This script is a single file doing everything a file manager is supposed to do. Now let's add it to wikka to allow my users to work more efficiently.

===How===
First, I want to add a 4th button in the edit handler, right after the textbox. Here is what i've modified in ##/handlers/page/edit.php## :
%%(php)
$output .=
$this->FormOpen("edit").
"<input type=\"hidden\" name=\"previous\" value=\"".$previous."\" />\n".
"<textarea onKeyDown=\"fKeyDown()\" id=\"body\" name=\"body\" style=\"width: 100%; height: 500px\">".htmlspecialchars($body)."</textarea><br />\n".
//note add Edit
"<input size=\"40\" type=\"text\" name=\"note\" value=\"".htmlspecialchars($note)."\" /> Please add a note on youredit.<br />\n".
//finsih
"<input name=\"submit\" type=\"submit\" value=\"Store\" accesskey=\"s\" /> <input name=\"submit\" type=\"submit\" value=\"Preview\" accesskey=\"p\" /> <input type=\"button\" value=\"Cancel\" onclick=\"\" /> ".
//ChiWaWa's little FileManagerHack
"<input type=\"button\" value=\"Manage Files\" onclick=\"window.open('/handlers/3rdparty/webadmin.php','FileManagement','height=600,width=800,toolbar=yes,location=1')\" />\n".
$this->FormClose();
%%

**Notes :**
~- wikka is the site root, it is important to know when setting the path ##/handlers/3rdparty/webadmin.php##. Giving the full URI to the webadmin.php script also work but I had troubles with relative paths
~- The file manager open in a popup window to not interact with the current page edition
~- Fell free to modify the popup window parameters to fit your needs. Usually 800x600 gives the best results.

Next step : add the script on wikka's tree
~1) Create the ##/handlers/3rdparty## directory
~2) copy [[http://cker.name/webadmin/webadmin.php webadmin.php]] in it
~3) **Important** (i've lost a lot of time trying to fix that) : copy ##/images/.htaccess## in ##/handlers/3rdparty/##
//not doing so will result in wikka trying to access to a page named handler/3rdparty/webadmin.php.php, I still don't understand why// :p

Finally edit webadmin.php to change some parameters :
%%(php)
$lang = 'auto';
//this is probably what you want, although setting $lang to 'en' is closer to wikka's way to handle I18N

$homedir = '../../images';
//this is intended to use webadmin as an image uploader. It still able to go to wikka's root directory... ouch
%%

And.. that's it. Now edit a page, click on the button, and if the webserver has write access to the images directory, you're able to upload and manage files.

===BUT===
**This hack is an awfull security threat for a public site**
webadmin.php is able to get up to the site root, and also allow anyone to download (and read) wikka.config.php, with your database password in clear text in it. Guess what could happend... once the 3v1l H4cK3R has uploaded [[http://www.phpmyadmin.net/home_page/ PHPMyAdmin]] to dump and modify your database...

This was not an issue to me as the hack was first intended to work only on a intranet site. But using it on a public site is impossible for a non-brainless admin. So here's what we can do :

According to some user feedback on wikka's crowded IRC channel (irc://irc.freenode.net/#wikka), the use of a file manager on a public site would be interesting for administrative purpose. It is not necessary to let every users uploading files (and actually it's more likelly a very bad idea to let unregistered / not trusted users upload anything). Restricting access to webadmin for administrative tasks is a piece of cake thanks to [[http://www.apache.org/ apache]]'s .[[http://httpd.apache.org/docs-2.0/howto/auth.html htaccess/.htpasswd]]. (What? you're running [[http://www.microsoft.com/iis Microsoft IIS]]? oh so you don't even know what security is? ;o) )

So here is the simpliest way to get an admin authentification system to access to 3rdparty scripts :
~- edit ##/handlers/3rdparty/.htaccess## (the one you got from ##/images/##)
~- add the folowing lines :
%%
AuthName "Section Name"
AuthType Basic
AuthUserFile /full/path/to/your/.htpasswd
Require valid-user
%%
~- Then run :
%%
htpasswd -c /full/path/to/your/.htpasswd AdminUserName
%%
~- type your password twice, it'll add an encoded password line in the file, and that's it. Simply run %%htpasswd /full/path/to/your/.htpasswd NewUserName%% to add a new user

**Notes:**
The ##.htpasswd## file should not be in your webserver's root. It's better to not even give write access to it by apache. It also can have another name, some use ##httpasswd## or ##passwords##
this procedure is to run on a Unix/Linux system, I don't know how does it works on a windows server. I've heard of some .htpasswd generators online, google for that if you didn't yet switch to Linux or [[http://www.apple.com/macosx/features/unix/ MacOs X]].

===And now?===
This thing is just an ugly hack to add file management capabilities to wikka. It cannot handle ACL and **is** a security threat. So please use it with caution.
In the future, I'd try to work on integrating a file management system in WikkaCore to handle ACL and user rights. This would be a page attachement more than a file manager imho.

**The End**
For more information, ask in comments or come and idle on IRC ;o)

===Thanks===
thanks to JavaWoman and DarTar for their help on the (noisy) IRC channel ;o)


----
Deletions:
====File Manager====
//How to add file upload/management in wikka//

===Why===
I've setup a wikka site for my company in order to store the knoweldge base and allow every users to read/write doc without leaving their workstations to find an old doc in the company's archives.
My problem was quite simple, I need users to add screenshots in wiki pages. Letting them doing so by ftp would be a loss of time for them, they need something quick and simple. I also had less than 1hr to add this feature.

===What===
I want a file manager, with upload, rename, moove, directory support and so on. Once gently asked for that, google pointed me on a script called [[http://cker.name/webadmin/ webadmin]]
This script is a single file doing everything a file manager is supposed to do. Now let's add it to wikka to allow my users to work more efficiently.

===How===
First, I want to add a 4th button in the edit handler, right after the textbox. Here is what i've modified in ##/handlers/page/edit.php## :
%%(php)
$output .=
$this->FormOpen("edit").
"<input type=\"hidden\" name=\"previous\" value=\"".$previous."\" />\n".
"<textarea onKeyDown=\"fKeyDown()\" id=\"body\" name=\"body\" style=\"width: 100%; height: 500px\">".htmlspecialchars($body)."</textarea><br />\n".
//note add Edit
"<input size=\"40\" type=\"text\" name=\"note\" value=\"".htmlspecialchars($note)."\" /> Please add a note on youredit.<br />\n".
//finsih
"<input name=\"submit\" type=\"submit\" value=\"Store\" accesskey=\"s\" /> <input name=\"submit\" type=\"submit\" value=\"Preview\" accesskey=\"p\" /> <input type=\"button\" value=\"Cancel\" onclick=\"\" /> ".
//ChiWaWa's little FileManagerHack
"<input type=\"button\" value=\"Manage Files\" onclick=\"window.open('/handlers/3rdparty/webadmin.php','FileManagement','height=600,width=800,toolbar=yes,location=1')\" />\n".
$this->FormClose();
%%

**Notes :**
~- wikka is the site root, it is important to know when setting the path ##/handlers/3rdparty/webadmin.php##. Giving the full URI to the webadmin.php script also work but I had troubles with relative paths
~- The file manager open in a popup window to not interact with the current page edition
~- Fell free to modify the popup window parameters to fit your needs. Usually 800x600 gives the best results.

Next step : add the script on wikka's tree
~1) Create the ##/handlers/3rdparty## directory
~2) copy [[http://cker.name/webadmin/webadmin.php webadmin.php]] in it
~3) **Important** (i've lost a lot of time trying to fix that) : copy ##/images/.htaccess## in ##/handlers/3rdparty/##
//not doing so will result in wikka trying to access to a page named handler/3rdparty/webadmin.php.php, I still don't understand why// :p

Finally edit webadmin.php to change some parameters :
%%(php)
$lang = 'auto';
//this is probably what you want, although setting $lang to 'en' is closer to wikka's way to handle I18N

$homedir = '../../images';
//this is intended to use webadmin as an image uploader. It still able to go to wikka's root directory... ouch
%%

And.. that's it. Now edit a page, click on the button, and if the webserver has write access to the images directory, you're able to upload and manage files.

===BUT===
**This hack is an awfull security threat for a public site**
webadmin.php is able to get up to the site root, and also allow anyone to download (and read) wikka.config.php, with your database password in clear text in it. Guess what could happend... once the 3v1l H4cK3R has uploaded [[http://www.phpmyadmin.net/home_page/ PHPMyAdmin]] to dump and modify your database...

This was not an issue to me as the hack was first intended to work only on a intranet site. But using it on a public site is impossible for a non-brainless admin. So here's what we can do :

According to some user feedback on wikka's crowded IRC channel (irc://irc.freenode.net/#wikka), the use of a file manager on a public site would be interesting for administrative purpose. It is not necessary to let every users uploading files (and actually it's more likelly a very bad idea to let unregistered / not trusted users upload anything). Restricting access to webadmin for administrative tasks is a piece of cake thanks to [[http://www.apache.org/ apache]]'s .[[http://httpd.apache.org/docs-2.0/howto/auth.html htaccess/.htpasswd]]. (What? you're running [[http://www.microsoft.com/iis Microsoft IIS]]? oh so you don't even know what security is? ;o) )

So here is the simpliest way to get an admin authentification system to access to 3rdparty scripts :
~- edit ##/handlers/3rdparty/.htaccess## (the one you got from ##/images/##)
~- add the folowing lines :
%%
AuthName "Section Name"
AuthType Basic
AuthUserFile /full/path/to/your/.htpasswd
Require valid-user
%%
~- Then run :
%%
htpasswd -c /full/path/to/your/.htpasswd AdminUserName
%%
~- type your password twice, it'll add an encoded password line in the file, and that's it. Simply run %%htpasswd /full/path/to/your/.htpasswd NewUserName%% to add a new user

**Notes:**
The ##.htpasswd## file should not be in your webserver's root. It's better to not even give write access to it by apache. It also can have another name, some use ##httpasswd## or ##passwords##
this procedure is to run on a Unix/Linux system, I don't know how does it works on a windows server. I've heard of some .htpasswd generators online, google for that if you didn't yet switch to Linux or [[http://www.apple.com/macosx/features/unix/ MacOs X]].

===And now?===
This thing is just an ugly hack to add file management capabilities to wikka. It cannot handle ACL and **is** a security threat. So please use it with caution.
In the future, I'd try to work on integrating a file management system in WikkaCore to handle ACL and user rights. This would be a page attachement more than a file manager imho.

**The End**
For more information, ask in comments or come and idle on IRC ;o)

===Thanks===
thanks to JavaWoman and DarTar for their help on the (noisy) IRC channel ;o)


----


Revision [4762]

Edited on 2005-01-17 14:56:04 by NilsLindenberg [cat. changed]
Additions:
thanks to JavaWoman and DarTar for their help on the (noisy) IRC channel ;o)
----
CategoryUserContributions
Deletions:
thanks to JavaWoman and DarTar for their help on the (noisy) IRC channel ;o)


Revision [4286]

Edited on 2005-01-08 23:37:04 by ChiWaWa [cat. changed]
Additions:
First, I want to add a 4th button in the edit handler, right after the textbox. Here is what i've modified in ##/handlers/page/edit.php## :
~- wikka is the site root, it is important to know when setting the path ##/handlers/3rdparty/webadmin.php##. Giving the full URI to the webadmin.php script also work but I had troubles with relative paths
~1) Create the ##/handlers/3rdparty## directory
~3) **Important** (i've lost a lot of time trying to fix that) : copy ##/images/.htaccess## in ##/handlers/3rdparty/##
~- edit ##/handlers/3rdparty/.htaccess## (the one you got from ##/images/##)
The ##.htpasswd## file should not be in your webserver's root. It's better to not even give write access to it by apache. It also can have another name, some use ##httpasswd## or ##passwords##
For more information, ask in comments or come and idle on IRC ;o)
===Thanks===
thanks to JavaWoman and DarTar for their help on the (noisy) IRC channel ;o)
Deletions:
First, I want to add a 4th button in the edit handler, right after the textbox. Here is what i've modified in /handlers/page/edit.php :
~- wikka is the site root, it is important to know when settinging the path "/handlers/3rdparty/webadmin.php". Giving the full URI to the webadmin.php script also work but I had troubles with relative paths
~1) Create the /handlers/3rdparty directory
~3) **Important** (i've lost a long time trying to fix that) : copy /images/.htaccess in /handlers/3rdparty
~- edit /handlers/3rdparty/.htaccess (the one you got from /images/)
For more information, ask in comments or come and idle on IRC ;o)


Revision [4285]

Edited on 2005-01-08 23:27:23 by ChiWaWa [cat. changed]
Additions:
~- edit /handlers/3rdparty/.htaccess (the one you got from /images/)
~- add the folowing lines :
~- Then run :
~- type your password twice, it'll add an encoded password line in the file, and that's it. Simply run %%htpasswd /full/path/to/your/.htpasswd NewUserName%% to add a new user
this procedure is to run on a Unix/Linux system, I don't know how does it works on a windows server. I've heard of some .htpasswd generators online, google for that if you didn't yet switch to Linux or [[http://www.apple.com/macosx/features/unix/ MacOs X]].
Deletions:
~1) edit /handlers/3rdparty/.htaccess (the one you got from /images/)
~2) add the folowing lines :
~3) Then run :
~4) type your password twice, it'll add an encoded password line in the file, and that's it. Simply run %%htpasswd /full/path/to/your/.htpasswd NewUserName%% to add a new user
this procedure is to run on a Unix/Linux system, I don't know how does it works on a windows server. I've heard of some .htpasswd generators online, google for that if you didn't yet switch to Linux or MacOs X.


Revision [4284]

Edited on 2005-01-08 23:23:21 by ChiWaWa [cat. changed]
Additions:
%%(php)
$lang = 'auto';
//this is probably what you want, although setting $lang to 'en' is closer to wikka's way to handle I18N
$homedir = '../../images';
//this is intended to use webadmin as an image uploader. It still able to go to wikka's root directory... ouch
And.. that's it. Now edit a page, click on the button, and if the webserver has write access to the images directory, you're able to upload and manage files.
===BUT===
**This hack is an awfull security threat for a public site**
webadmin.php is able to get up to the site root, and also allow anyone to download (and read) wikka.config.php, with your database password in clear text in it. Guess what could happend... once the 3v1l H4cK3R has uploaded [[http://www.phpmyadmin.net/home_page/ PHPMyAdmin]] to dump and modify your database...
This was not an issue to me as the hack was first intended to work only on a intranet site. But using it on a public site is impossible for a non-brainless admin. So here's what we can do :
According to some user feedback on wikka's crowded IRC channel (irc://irc.freenode.net/#wikka), the use of a file manager on a public site would be interesting for administrative purpose. It is not necessary to let every users uploading files (and actually it's more likelly a very bad idea to let unregistered / not trusted users upload anything). Restricting access to webadmin for administrative tasks is a piece of cake thanks to [[http://www.apache.org/ apache]]'s .[[http://httpd.apache.org/docs-2.0/howto/auth.html htaccess/.htpasswd]]. (What? you're running [[http://www.microsoft.com/iis Microsoft IIS]]? oh so you don't even know what security is? ;o) )
So here is the simpliest way to get an admin authentification system to access to 3rdparty scripts :
~1) edit /handlers/3rdparty/.htaccess (the one you got from /images/)
~2) add the folowing lines :
AuthName "Section Name"
AuthType Basic
AuthUserFile /full/path/to/your/.htpasswd
Require valid-user
~3) Then run :
htpasswd -c /full/path/to/your/.htpasswd AdminUserName
~4) type your password twice, it'll add an encoded password line in the file, and that's it. Simply run %%htpasswd /full/path/to/your/.htpasswd NewUserName%% to add a new user
**Notes:**
this procedure is to run on a Unix/Linux system, I don't know how does it works on a windows server. I've heard of some .htpasswd generators online, google for that if you didn't yet switch to Linux or MacOs X.
===And now?===
This thing is just an ugly hack to add file management capabilities to wikka. It cannot handle ACL and **is** a security threat. So please use it with caution.
In the future, I'd try to work on integrating a file management system in WikkaCore to handle ACL and user rights. This would be a page attachement more than a file manager imho.
**The End**
For more information, ask in comments or come and idle on IRC ;o)
Deletions:


Revision [4278]

Edited on 2005-01-08 22:46:57 by ChiWaWa [cat. changed]
Additions:
First, I want to add a 4th button in the edit handler, right after the textbox. Here is what i've modified in /handlers/page/edit.php :
%%(php)
$output .=
$this->FormOpen("edit").
"<input type=\"hidden\" name=\"previous\" value=\"".$previous."\" />\n".
"<textarea onKeyDown=\"fKeyDown()\" id=\"body\" name=\"body\" style=\"width: 100%; height: 500px\">".htmlspecialchars($body)."</textarea><br />\n".
//note add Edit
"<input size=\"40\" type=\"text\" name=\"note\" value=\"".htmlspecialchars($note)."\" /> Please add a note on youredit.<br />\n".
//finsih
"<input name=\"submit\" type=\"submit\" value=\"Store\" accesskey=\"s\" /> <input name=\"submit\" type=\"submit\" value=\"Preview\" accesskey=\"p\" /> <input type=\"button\" value=\"Cancel\" onclick=\"\" /> ".
//ChiWaWa's little FileManagerHack
"<input type=\"button\" value=\"Manage Files\" onclick=\"window.open('/handlers/3rdparty/webadmin.php','FileManagement','height=600,width=800,toolbar=yes,location=1')\" />\n".
$this->FormClose();
%%
**Notes :**
~- wikka is the site root, it is important to know when settinging the path "/handlers/3rdparty/webadmin.php". Giving the full URI to the webadmin.php script also work but I had troubles with relative paths
~- The file manager open in a popup window to not interact with the current page edition
~- Fell free to modify the popup window parameters to fit your needs. Usually 800x600 gives the best results.
Next step : add the script on wikka's tree
~1) Create the /handlers/3rdparty directory
~2) copy [[http://cker.name/webadmin/webadmin.php webadmin.php]] in it
~3) **Important** (i've lost a long time trying to fix that) : copy /images/.htaccess in /handlers/3rdparty
//not doing so will result in wikka trying to access to a page named handler/3rdparty/webadmin.php.php, I still don't understand why// :p
Finally edit webadmin.php to change some parameters :
Deletions:
First, I want to add a 4th button in the edit handler. Here is what i've added :


Revision [4274]

The oldest known version of this page was created on 2005-01-08 22:26:33 by ChiWaWa [cat. changed]
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki