Programming isn’t a science, it’s more of a craft to me. A craft implies a combination of some creativity and some practicality. You can make a wardrobe that does the job, or you can get a craftsman to do the job and you’ll end up with something that is not only functional, but great to look at. Craftsmen build the furniture you buy from antique stores.
Software can certainly be the same. Software can work, or it can work well. It can be inspiring and fun to work on, or it can be terrible and boring. It generally comes down to the skill and work ethic of the person that is writing it in the first place. I want to build an antique, not an $11 chair from Ikea.
Corey Haines has been doing a series of videos about all matters software related, but he seems to be mainly passionate about Pair Programming. I like how he sometimes delves into the psychology of people in an industry that is populated by so many with unusual profiles.
He operates a blog called On Being a Journeyman Software Craftsman and it contains a bunch of videos and short blurbs about things he’s learned while on his trip. I’d check it out and you might learn a bit about some of the cooler ideas out there in the software world.
FCKEditor is a third party WYSIWYG editor for websites that is used in a great number of applications across the web. The problem with using third party applications is that you can never be sure of the quality of the code, or of the security model they’re enforcing. In the case of FCKEditor the default installation can be extremely insecure and information on how to secure it is pretty thin on the ground.
There are a few things that can be done to improve the security of FCKEditor after installation so hopefully these few pointers will help.
Integrate Your Own Authentication
You can integrate some basic authentication fairly easily using an htaccess file and the php auto_prepend directive. This directive will basically tell the php engine to prepend any script with the file that you specify, it’s essentially the same as issuing a require() call before each page is run. We use this to run our own authentication scripts before access to any part of our application is run. There are parts of FCKEditor that are freely open to the public, so this is quite important unless you want your site to have anonymous users uploading anything to you.
Turn Off The PHP Engine in Your Upload Directories
FCKEditor does have some very basic checking included to try and stop users from being able to upload any sort of executable code to your application; but none of it works very well. The best way to circumvent this is to stop PHP from functioning inside your upload directories. What this means is that although a user could circumvent your security and upload some malicious code to your server all that will happen is your web server will serve back the content as plain text.
Remove FCKEditor’s Testing Pages
FCKEditor includes some basic forms that allow you to check that your configuration is correct for uploading and browsing your website. These forms if they remain publicly available provide a very handy access point for users to upload content to your site that they shouldn’t be. The file exists in /editor/filemanager/connectors/test.html and is there only to allow you to test the connectors, you should be deleting it. This step will not stop those progressing up to step one or two, but I see this as putting up some fake security cameras, it’ll stop some lazy criminals.
Hopefully these tips will help anyone that is using FCKEditor and is worrying about any holes in their security this might open up. Obviously these can be generically applied to any application that allows uploading to occur, however with FCKEditor being quite prominent in older applications it’s probably worthwhile just having a look at your app to see how secure your editor really is.
Twitter
One of our older blog posts has sparked some interest again today. A case for quality content. http://t.co/3aGHCKgH