Introducing CreWeb

[cratylus]

All righty, I could use some help.
I'm developing a system that allows creators to access
their files using a browser, so that there's no need
to futz around with ftp or rcp.

The basic framework of it seems to work ok. It's
just a set of CGI scripts running from the built-in
webserver.

However, I'm not that comfortable releasing this
yet. I got the thing to work, and I *think* that
it's able to prevent creators from reading each other's
stuff, but I'm not really that sure. It's my first
time messing around with this sort of stuff, and
I could use the help of some folks willing to try
to break stuff.

So, here's my request.

Please telnet to alcatraz.wolfpaw.net port 8000,
make a character, and choose to become a creator when asked.

Once your creator character is in place, use
your favorite browser to navigate to:

http://alcatraz.wolfpaw.net:8001/cgi/login.html

And log in using that character's name and password.

You will be logged in and able to browse your
files and upload stuff, too, just using the browser.

Now, don't bother telling me how ugly you think it
is...this is a functionality test, and here comes
the good part.

What I need you to do is...break it. Break the
security, try to access and preferably even modify
other people's files. If you can, try to modify
stuff on the lib itself. Before I can feel comfortable
suggesting to people to use this system, I want to
feel relatively sure that it at least is not
trivial to circumvent.

Obviously I am not asking you to hack that server itself.
It doesn't belong to me and if you did so it would make
things unpleasant for me.

I just want help seeing how vulnerable the current
experimental version of CreWeb is to exploits.

Thanks!

-Crat

[cratylus]

Users of Internet Explorer, if the files look like  jumbled mess,
it's because ie doesn't by default try to figure out the newlines.

To view the files properly if they are messed up, right click
on the page, select "Encoding", then "Auto-Select".

-Crat

[cratylus]

Heh, apparently Internet Explorer is problematic in various ways.

Expect very weird behavior if you use ie.

That's what I get for testing on non-microsoft browsers!

-Crat

[cratylus]

The weird IE file path bug should now be fixed.

Can't do anything about the encoding though...that's
a peculiarity in the way that browser handles file
encoding that's not new and it's something I can't fix.

-Crat

PS keep trying to break it plz kthx

[daelaskai]

It's very strange.  When I log in, I just come to a page that has only one letter and nothing else.
I don't see any of my creator files or anything else.

Daelas

[cratylus]

Weird, I can't get that to happen.

Do you maybe have a firewall on?

What's your os and browser?

-Crat

[daelaskai]

Oh, wait.  I can get to my public_html dir by typing: http://alcatraz.wolfpaw.net:8001/~johnny
and can see the index.html I put there but I still can't see any other file info.

I'm using Mozilla Firefox 2.0 on Windows XP if you need to know that.

Daelas

[daelaskai]

Yes, I have ZoneAlarm firewall.

[cratylus]

Mysterious.

I'd say make sure you have cookies enabled,

then log out: http://alcatraz.wolfpaw.net:8001/cgi/logout.html

then login: http://alcatraz.wolfpaw.net:8001/cgi/login.html

Not sure why you'd have trouble with that browser...I've tested on
that with Linux and Windows.



-Crat

[quixadhal]

Can't do anything about the encoding though...that's
a peculiarity in the way that browser handles file
encoding that's not new and it's something I can't fix.

Actually... you might be able to

I haven't looked yet, but there are multiple ways to serve up files via the web.  If you just provide links directly to the files, you're at the mercy of your host to add entries to their apache (or Microsoft thingy) config so that .c or .h files in YOUR area get a content type of text.

However, if you're serving files up via a script, which itself reads the files and then sends them, you might indeed be able to send whatever type header information you want.  How you do it depends on what kind of CGI script you have (IE: perl, C, lpc, etc...)

I'll try to find a bit of time to actually look at it this weekend, rather than just spewing what's floating around in the air near me.

[cratylus]

Whew! Boy am I learning a bunch about CGI and javascript!

There are new features available in CreWeb. You can now edit
files in your home directory...and if they are .c files, they will be
automatically loaded when sent and any errors will be displayed
in your browser.

Note that this is for editing only. Uploading a file is still just
sending the file.

The editor is crude but functional, and I hope it's a step toward making
it easier to build for those truly allergic to ed.

Anyway, I still need everyone's help with the testing, so...

Please telnet to alcatraz.wolfpaw.net port 8000,
make a character, and choose to become a creator when asked.

Once your creator character is in place, use
your favorite browser to navigate to:

http://alcatraz.wolfpaw.net:8001/cgi/login.html

And log in using that character's name and password.

Thanks!

-Crat

[cratylus]

Welp, I'm pretty much done with the basic CreWeb functionality. As of now
you can browse your files, edit them, upload new files, create new files,
and create new directories, all from the web.

This is what the home directory looks like: http://lpmuds.net/homedir.jpg

This is what editing looks like: http://lpmuds.net/editing.jpg

I've tested it with the various Mozilla browsers and IE. I've also tested
running it on Linux and Windows Dead Souls, and I've been unable to
break the current version.

So I'm releasing an alpha lib with CreWeb included, so that folks can
play around with it on their own. Please let me know what problems
you run into.

To get started once you install, type: help creweb

-Crat
PS alpha version available here: http://dead-souls.net/code/alpha/