Posts Tagged ‘web-based software’
Friday, March 11th, 2011
As mentioned in my previous blog post, Cool Web-Based Software- eXtplorer, eXtplorer is an excellent online file manager solution that has a great set of features. While I was examining eXtplorer’s potential to be used in an Offsite Linux Server Backup service, I did find several drawbacks to the software. In particular, two features needed to be disabled, in order for eXtplorer to be used in a shared environment.
The first feature in eXtlplorer that needed to be disabled was the “New File/Directory” button. This button allows the creation of symlinks, which can override the specified user’s directory. As you can imagine, this would allow a user to view any files that the webserver owner would be able to view. In most circumstances, the user running under the webserver process will be able to view well over 90% of the files on a server (some of which are sensitive). We can easily disable this feature, by editing a few files.
To disable this feature, edit the file include/mkitem.php. In that file, you should see code similar to the following:
/**
* Allows to create dirs, files and symlinks on a server
*
*/
class ext_Mkitem extends ext_Action {
 New File/Directory disabled, on eXtplorer To properly disable this feature, you can either comment out the function, or simply rename the function. This results in a screen similar to the one on the left, when a user attempts to create a new file or directory. As you can see, the screen is completely blank, and does not allow the user to upload new files, or create a symlink to another directory.
The other weakness in eXtplorer’s design was the creation of an “About” page, which contains (among other items) a way to view the phpinfo() function. This function reveals sensitive information about the webserver (the version of PHP running, OS, PHP configuration, etc). Fortunately, disabling this feature is rather easy.
To disable the “About” page, edit the file admin.extplorer.php, and look for the line that is similar to:
case'get_about':
require_once( _EXT_PATH . "/include/system_info.php" );
system_info();
break;
And change this to:
case'get_about':
echo "This feature has been disabled by your administrator.";
// require_once( _EXT_PATH . "/include/system_info.php" );
// system_info();
break;
 eXtplorer's About page, properly disabled What we are effectively doing here is commenting out loading the script that reveals the phpinfo() information, and instead we create a line that tells the user that this feature is disabled. This way, the dialog now looks similar to the dialog on the left.
 New File/Directory (Disabled) Once we have made these modifications, we now need to tell our users that these two features no longer work. We can do this a few ways- my favorite is to edit the images for the buttons on the menu (located in the images directory). The image that controls the New File/Directory image is named ” _filenew.png”, and the image that controls the About image is named ” _help.png”. By the time that you are done, you should have a navigational bar that appears close to the image on the left.
Finally, we need to edit the language file, and edit the “New File/Directory” and “About” descriptions. These help our users to understand that when they hover their mouse over an option, they can read that the features have been disabled. In order to do this, edit the file languages/english.php (or whatever language is the default), and edit the variables “aboutlink”, and “newlink”. You can edit these variables to display whatever message you choose, my personal favorite is just to use the text “Disabled” after the feature, to let the user know that the feature is disabled on purpose.
Once you have performed these modifications, eXtplorer will happily run in a multi-user environment securely. If you have any further questions about eXtplorer, feel free to contact me by posting a reply, or using the contact form on this website.
Tags: eXtplorer, server security, web-based software
Posted in Cool Software | 5 Comments »
Tuesday, February 22nd, 2011
Your server has fast Internet access, and tens of hundreds of GB free of storage. Why not use that storage and high speed connection to store files, and share files with other users?
If you need to share files with other users on the Internet, or easily access files remotely, a good web-based software to use for that purpose is eXtplorer. Featuring modern Javascript-based menus, and a sleek PHP backend, eXtplorer is strongly becoming my favorite way to access files remotely. Sure, I could use SFTP to store files on a server, but what happens when you need to access files on your server from someone else’s computer? You could always download a standalone SFTP client, but that’s such a hassle- and eXtplorer is easily accessed from any web browser.
This weekend, I was doing some research into a way to offer offsite Linux server backup solutions to my clients. While doing my research, I stumbled upon eXtplorer. At first, I was skeptical. I’ve looked at easily a dozen Open Source file managers. After using eXtplorer over the course of several weeks, I found that the software was sleek, functional, and easy to use. Needless to say, I was impressed.
 eXtplorer's list of files in the current directory
As you can see, eXtplorer features a clean user interface, with friendly graphics. It’s intuitive to use, and has very few disadvantages.
 eXtplorer's Sleek Right Click Menu
I was also impressed by eXtplorer’s sleek right-click menu, which works in Opera, Firefox, and Internet Explorer. The menu is Javascript based, and seemed to be bug-free.
 eXtplorer's "View File Contents" feature can even display images.
If you need to, you can even view the contents of a file, via the “View File Contents” feature. This feature supports images, as well as text documents.
One disadvantage of eXtplorer is that it requires a few modifications, to be securely used in a multi-user environment. In a default configuration, eXtplorer allows the creation of symlinks, which can override the location for a user’s profile. This means that a user can view files outside his or her path, which would normally be considered an information disclosure vulnerability. In addition, an “About…” dialog allows a user to view PHP’s phpinfo(); function, which tells a possible malicious user a lot of information! EXtplorer also supports connecting to remote FTP sites, which could also prevent a security vulnerability. However, all of these features are easy enough to disable.
 eXtplorer with symlinks disabled
As you can see, both the “New file” feature, and the “About…” feature have been disabled. This is necessary to prevent the creation of symlinks, and the disclosure about system settings via the “About…” page.
In summary, eXtplorer is definitely work looking into, if you need a way to share or host files over the Internet. If you don’t want to use FTP, and are in search of a web-based file manager, eXtplorer is easily the best choice in Open Source web-based file managers. It’s few security issues are easily fixed, and readily documented. In my next blog post, I specify the exact changes necessary to disable symlinks, disable the about page, and disable remote FTP access.
Tags: file management software, web-based software
Posted in Work | 3 Comments »
Tuesday, June 15th, 2010
DocMGR is a free, powerful document management system for Linux servers
One of the biggest challenges when working with teams or organizations is information collaboration. Although tools like email and file servers exist, they do not solve the problem of easily allowing outside contractors or remote employees access to important files, and file servers also do not have the ability to save multiple revisions of a file. These common problems are easily solved with the use of a document management system. A good document management system will also have a way to send files to external clients or consultants- people that might not have access to your network.
DocMGR is a popular document management software solution for Linux servers. DocMGR has been in development since 2005, and the most recent versions include advanced features such as PDF exporting, and a built-in document editor. DocMGR requires a few software packages to be installed on your Linux server (in addition to PostgreSQL and Apache), such as OpenOffice and ImageMagick. Typically, DocMGR takes about an hour to an hour and a half to install.
Once installed, log into the DocMGR interface using the default username admin. When logged in, you are welcomed by a customizable home page.
 DocMGR's home screen is completely customizable. From here, you can view your files in thumbnail format (handy for images), or in a list format, which allows you to easily export documents as a PDF.
 DocMGR offers list as well as thumbnail views. One of the nice features of any document management system is the ability to have both private and shared files. DocMGR’s ACL is easy to edit for folders, giving you the flexibility in controlling exactly who is able to view and change your files. Subscriptions can be setup for shared folders, so that you are notified when the contents of a folder are changed.
 DocMGR shared documents, and thumbnail view. DocMGR’s built-in editor is quite sophisticated, and supports spell checking as well as the insertion of multimedia files. The editor requires OpenOffice to be installed on your server, and it also allows you to easily edit any document stored within DocMGR (without requiring programs such as Word™ on your computer).
 DocMGR contains a built-in document editor. DocMGR contains a built-in email client (for sending only), which allows you to send any file in DocMGR via email. DocMGR also contains an address book feature, which allows easier organization of frequently used contacts.
 DocMGR can email files within DocMGR directly. I am particularly impressed with the ability to not only email files, but also to send download links to for large files. This way, you can send someone a very large attachment (that might otherwise fill up their mailbox), which they can download via a special link (that expires within 24 or 48 hours). I particularly liked the idea that if I send someone a link to download a file, that link is automatically removed after a specified time. Any time that I send someone a link manually, I usually forget to delete the original file from my server the next day. This feature helps to keep your server tidy, and secure.
 DocMGR offers the ability to send links to large files directly. DocMGR’s way of selecting users is my only real complaint. If you look at the screenshot below, users are selected using the search field at the top right corner. Normally, you would expect a drop down list, or another way to select individual users. The search field is not very user friendly, here. Despite this one fault, the rest of the user management is easy and fast once you get used to selecting users via the search field.
 DocMGR user management is quick, once you get used to the interface. While we’re on the topic of searching, this is perhaps one of DocMGR’s biggest strengths- the search times for documents are extremely fast. In addition, DocMGR can even search within the contents of files for what you want- in case you forget the filename.
If you have the need for a document management system, I would highly encourage you to take a look at DocMGR. With it’s many features and fast performance, it’s a wonder that this document management system is available for free. If you don’t want to tackle the installation of DocMGR yourself (and it’s many dependencies), feel free to contact me, and I will install it on your server for you.
Tags: DocMGR, document management system, web-based software
Posted in Cool Software | No Comments »
Monday, March 22nd, 2010
Is your Linux server down?
This one question has the power to keep us all up at night. Linux servers host your websites, handle your email, and manage your network. Your Linux server is the heart and soul of an online presence, since your databases and web applications all run on top of your server. Put simply, if your server is down, so is your business. Downtime means lost sales, and lost customers (present and future revenue). If you can’t afford downtime, you need a good server monitoring program. One such software solution is called Nagios, and it’s quite powerful.
Although Nagios isn’t the easiest web-based software solution to install (most of the server configuration is done by editing configuration files), it is extremely easy to use, once configured. Nagios presents you with a web-based status screen, which allows you to quickly view the status of all of the servers that you are monitoring. Nagios isn’t for just Linux servers either, Windows servers can be added to monitor as well. Once you are logged into Nagios, you can view the detailed status for all of the monitored servers by clicking on the “Service Detail” link.
From here, you can view the detailed information about when Nagios last checked the status of a service running on your server, and view the results of that last check. Pretty boring stuff so far, since nothing is broken. Let’s break the POP3 service on our server, and see how Nagios reacts. Within one minute, Nagios has flagged the POP3 service as being in a “critical” state. Nagios requires four failed connection attempts (by default), before an alert is issued. This is important, since sometimes a request is dropped by a router in between Nagios and the destination server. The Internet is a crazy place, and sometimes traffic isn’t delivered to it’s destination in time. Therefore, Nagios will wait for four consecutive failures, before it issues an alert.
 Critical Alert Once Nagios has failed to connect to the server four consecutive times, the server is then placed into an alert status. From here, depending on your Nagios configuration, an email can be sent, a text message sent, or even a sound played through speakers connected to your Linux server.
 Nagios email alert Once we have successfully fixed the issue with the POP3 daemon on our Linux server, Nagios will remove the critical warning on the server, and place the server into an “OK” state. Once the monitored server’s status is changed to “OK”, emails and SMS text messages are once again sent, to inform everyone that the monitored server is fixed.
 Nagios SMS Text Message Alert In addition, the host status on Nagios is now displayed as “OK” on the service status page.
 Nagios Host Status OK In addition to monitoring, Nagios also supports the ability to create logs and uptime graphs which display host uptime and service stability in an easy to read format. Host state breakdown reports allow you to easily view and export server and service uptime reports.
 Nagios Host State Breakdown Report In addition, you can also schedule downtime with Nagios, so that alerts aren’t issued when a service or server is taken down for routine maintenance. The downtime window is completely custom, and Nagios gives a summary of all planned downtime, by clicking on “Downtime”, on the navigational bar.
 Nagios Scheduled Downtime In the end, Nagios has the potential to save you both time and money. WIth Nagios, you won’t have to worry about whether or not your server is working- Nagios will let you know as soon as your server is unavailable.
Tags: nagios, web-based software
Posted in Cool Software | 5 Comments »
Monday, March 1st, 2010
One cool web-based software solution that I’ve stumbled upon lately is OpenEMM. OpenEMM is a mass mailing software solution for email marketing, sending newsletters, and mass mailing. Although I’ll admit that my experience with this particular niche of software is limited (I’ve installed and used SugarCRM, and PHPlist in the past), I’m really in love with OpenEMM’s layout and organization. Where OpenEMM really shines is the ability to quickly setup a campaign or single mailing event, and start to get emails flowing. OpenEMM contains it’s own email system (more on that later), so it’s basically self contained.
To get started with sending emails through OpenEMM, you first must create a “mailing”, which can either be a part of a campaign, or by itself (a cool feature when testing this software). After you complete a short wizard, you can fine tune the mailing very easily:
 Creating a mailing in OpenEMM Once you get the Mailing setup in OpenEMM, you can then add email addresses, or recipients, into OpenEMM (maybe it’s best to add those first, but it’s more fun to create the mailing first- it doesn’t really matter which order you do them in). One really nice feature, as you can see, is that it’s short and to the point- if you just want to add email addresses and get on with your life, OpenEMM does a very nice job of that!
 Adding an email address in OpenEMM Moving on, we also have the ability to create a template in OpenEMM to use for our mailings. This is nice, since the templates look professional, clean, and can be configured using variables for database variables (such as first and last names). I hate the impersonal feeling of mass mailing, and the inclusion of this feature is nice.
 OpenEMM email template Speaking of editing templates, OpenEMM allows you to preview how your template will look at different resolutions. This feature is really nice, since I use static table sizes in my designs, and I’m always curious as to how the border regions of tables look at higher/lower resolutions.
 Template preview feature in OpenEMM Now that I’ve talked up OpenEMM enough to sound like a commissioned salesman, let’s talk about some of the disadvantages:
- OpenEMM doesn’t appear to support an external mail server- you can either use the mail server built into the server that OpenEMM is installed on, or you can use the bundled mail server.
- OpenEMM’s mail server doesn’t always work 100% out of the box. If you want to switch mail servers, there isn’t a graphical way to do this. It would really be nice to have an “email server configuration” page built into OpenEMM. That way, I could use a mail server that is located on another server.
- OpenEMM requires the installation of Java from Sun, and also a user account created. OpenEMM isn’t the easiest mass email marketing software to install.
However, none of these disadvantages are particularly crippling. Time wise, I would say that it took me about an hour or so to install. Although I’m just playing with mass email marketing software at the moment, if I ever do decide to take the plunge and get started, OpenEMM will definitely be the software that I will use.
Tags: mass mailing software, OpenEMM, web-based software
Posted in Cool Software | No Comments »
|
