Ramblings of a Linux Administrator

Securing eXtplorer

As mentioned in my previous blog post, Cool Web-Based Software- eXtplorer, eXtplorer is an excellent online file manager solution that has a great set of features. While I was examining eXtplorer’s potential to be used in an Offsite Linux Server Backup service, I did find several drawbacks to the software. In particular, two features needed to be disabled, in order for eXtplorer to be used in a shared environment.

The first feature in eXtlplorer that needed to be disabled was the “New File/Directory” button. This button allows the creation of symlinks, which can override the specified user’s directory. As you can imagine, this would allow a user to view any files that the webserver owner would be able to view. In most circumstances, the user running under the webserver process will be able to view well over 90% of the files on a server (some of which are sensitive). We can easily disable this feature, by editing a few files.

To disable this feature, edit the file include/mkitem.php. In that file, you should see code similar to the following:
/**
* Allows to create dirs, files and symlinks on a server
*
*/
class ext_Mkitem extends ext_Action {


New File/Directory disabled, on eXtplorer

To properly disable this feature, you can either comment out the function, or simply rename the function. This results in a screen similar to the one on the left, when a user attempts to create a new file or directory. As you can see, the screen is completely blank, and does not allow the user to upload new files, or create a symlink to another directory.



 

The other weakness in eXtplorer’s design was the creation of an “About” page, which contains (among other items) a way to view the phpinfo() function. This function reveals sensitive information about the webserver (the version of PHP running, OS, PHP configuration, etc). Fortunately, disabling this feature is rather easy.

To disable the “About” page, edit the file admin.extplorer.php, and look for the line that is similar to:

case'get_about':
require_once( _EXT_PATH . "/include/system_info.php" );
system_info();
break;


And change this to:


case'get_about':
echo "This feature has been disabled by your administrator.";
// require_once( _EXT_PATH . "/include/system_info.php" );
// system_info();
break;


eXtplorer's About page, properly disabled

What we are effectively doing here is commenting out loading the script that reveals the phpinfo() information, and instead we create a line that tells the user that this feature is disabled. This way, the dialog now looks similar to the dialog on the left.

New File/Directory (Disabled)

Once we have made these modifications, we now need to tell our users that these two features no longer work. We can do this a few ways- my favorite is to edit the images for the buttons on the menu (located in the images directory). The image that controls the New File/Directory image is named ” _filenew.png”, and the image that controls the About image is named ” _help.png”. By the time that you are done, you should have a navigational bar that appears close to the image on the left.

Finally, we need to edit the language file, and edit the “New File/Directory” and “About” descriptions. These help our users to understand that when they hover their mouse over an option, they can read that the features have been disabled. In order to do this, edit the file languages/english.php (or whatever language is the default), and edit the variables “aboutlink”, and “newlink”. You can edit these variables to display whatever message you choose, my personal favorite is just to use the text “Disabled” after the feature, to let the user know that the feature is disabled on purpose.

Once you have performed these modifications, eXtplorer will happily run in a multi-user environment securely. If you have any further questions about eXtplorer, feel free to contact me by posting a reply, or using the contact form on this website.

Tags: eXtplorer, server security, web-based software

This entry was posted on Friday, March 11th, 2011 at 2:23 pm and is filed under Cool Software . You can follow any responses to this entry through the RSS 2.0 feed.

5 Responses to “Securing eXtplorer”

1. Bob says:

   December 23, 2011 at 3:55 am

   I notice that when eXtplorer is used it’s not on a secure connection (no https) how can this be changed so traffic between user and site are not at risk?
2. cpace says:

   December 23, 2011 at 10:06 am

   You can simply run the site on a HTTPS server, using mod_ssl under Apache, for instance.
3. cpace says:

   March 15, 2012 at 10:08 am

   Email it to me, and I can post it: chris@linuxconsultant.info
4. Duda Ferreira says:

   March 15, 2012 at 10:11 am

   Ok, here goes on more attempt on the modifications on include/mkitem.php:

   
--- /srv/files/include/mkitem.php.orig 2012-03-15 13:49:15.000000000 -0300
+++ include/mkitem.php 2012-03-15 14:06:32.000000000 -0300
@@ -97,13 +97,13 @@ class ext_Mkitem extends ext_Action {^M
"xtype": "combo",^M
"fieldLabel": "Type",^M
"store": [["file", "<?php echo ext_Lang::mime( 'file', true ) ?>"],^M
- ["dir", "<?php echo ext_Lang::mime( 'dir', true ) ?>"]^M
- <?php^M
- if( !ext_isFTPMode() && !$GLOBALS['isWindows']) { ?>^M
- ,["symlink", "<?php echo ext_Lang::mime( 'symlink', true ) ?>"]^M
- <?php^M
- } ?>^M
- ],^M
+ ["dir", "<?php echo ext_Lang::mime( 'dir', true ) ?>"]],^M
+// <?php^M
+// if( !ext_isFTPMode() && !$GLOBALS['isWindows']) { ?>^M
+// ,["symlink", "<?php echo ext_Lang::mime( 'symlink', true ) ?>"]^M
+// <?php^M
+// } ?>^M
+// ],^M
displayField:"type",^M
valueField: "mktype",^M
value: "file",^M
@@ -114,12 +114,12 @@ class ext_Mkitem extends ext_Action {^M
mode: "local",^M
allowBlank: false,^M
selectOnFocus:true^M
- },{^M
- "xtype": "textfield",^M
- "fieldLabel": "<?php echo ext_Lang::msg( 'symlink_target', true ) ?>",^M
- "name": "symlink_target",^M
- "width":175,^M
- "allowBlank":true^M
+// },{^M
+// "xtype": "textfield",^M
+// "fieldLabel": "<?php echo ext_Lang::msg( 'symlink_target', true ) ?>",^M
+// "name": "symlink_target",^M
+// "width":175,^M
+// "allowBlank":true^M
}],^M
"buttons": [{^M
"text": "<?php echo ext_Lang::msg( 'btncreate', true ) ?>", ^M

5. Duda Ferreira says:

   March 15, 2012 at 10:12 am

   I’m a complete moron. last attempt on include/mkitem.php modifications:

   
--- /srv/files/include/mkitem.php.orig 2012-03-15 13:49:15.000000000 -0300
+++ include/mkitem.php 2012-03-15 14:06:32.000000000 -0300
@@ -97,13 +97,13 @@ class ext_Mkitem extends ext_Action {
"xtype": "combo",
"fieldLabel": "Type",
"store": [["file", "<?php echo ext_Lang::mime( 'file', true ) ?>"],
- ["dir", "<?php echo ext_Lang::mime( 'dir', true ) ?>"]
- <?php
- if( !ext_isFTPMode() && !$GLOBALS['isWindows']) { ?>
- ,["symlink", "<?php echo ext_Lang::mime( 'symlink', true ) ?>"]
- <?php
- } ?>
- ],
+ ["dir", "<?php echo ext_Lang::mime( 'dir', true ) ?>"]],
+// <?php
+// if( !ext_isFTPMode() && !$GLOBALS['isWindows']) { ?>
+// ,["symlink", "<?php echo ext_Lang::mime( 'symlink', true ) ?>"]
+// <?php
+// } ?>
+// ],
displayField:"type",
valueField: "mktype",
value: "file",
@@ -114,12 +114,12 @@ class ext_Mkitem extends ext_Action {
mode: "local",
allowBlank: false,
selectOnFocus:true
- },{
- "xtype": "textfield",
- "fieldLabel": "<?php echo ext_Lang::msg( 'symlink_target', true ) ?>",
- "name": "symlink_target",
- "width":175,
- "allowBlank":true
+// },{
+// "xtype": "textfield",
+// "fieldLabel": "<?php echo ext_Lang::msg( 'symlink_target', true ) ?>",
+// "name": "symlink_target",
+// "width":175,
+// "allowBlank":true
}],
"buttons": [{
"text": "<?php echo ext_Lang::msg( 'btncreate', true ) ?>",