Hacking The Corporate CMS

My new employers are using a XOOPS-based CMS as the “corporate CMS. There’s tons of customisation done on the CMS, however (nightmares of nightmares), the code is pretty fsckin’ messy! There’s at least 10 people who’ve worked on the system, from what I can gather from the comments in the code. And changes are only recorded as notes at the beginning of the respective PHP files.

I do have experience coding for PHP-Nuke (which XOOPS was based on in the first place), however, XOOP’s code are made OO during its evolution since the fork. This itself is something I would avoid (purely by preferance, I got nothing against OOP!), because I’m more of a procedural guy, myself. Mind you, I got no problems coding using classes, instances, and other OOP-related “features”, thank you very much.

Back to the topic… Basically, I’ve been hacking this messy code for about a week now. Added some features, code fixes, and generally playing around with the system. Looking beyond the messy code, I must say I’m quite impressed with the direction that the CMS is heading to. I can tell that it started merely as a “sandbox” where the person in charge is just trying to introduce a FOSS project to implement the MIS vision of the company. It may be flawed, but hey, essentially, it works! And that is what matters.

My job would be to polish this rough mineral and make it glimmer and shine. It should fulfil its requirements as well as have an easy to understand UI to boot. Well, the UI part would mostly be existing stuff. I don’t foresee adding too much bells and whistles to the current core… minor cosmetic changes at most. Somehow, I do feel like I might have to write a module or two… or in the best case scenario, modify one that’s already available.

For now, the CMS has a customised “start page”, a forum, an event calendar, some sort of DMS, and a Meeting Room booking page. The only section that I haven’t yet to hack is the forum. The rest have had their code modified by me one way or another.

One of the stranger hacks I’ve done was to add links to the custom apps my company uses for accounting and sales related data. What’s so strange about that you might ask. Well, the apps are standard Windows executables stored locally on the users’ PCs. The strange requirement that the powers-that-be (aka the Directors) wanted was the ability to launch these apps directly from the CMS itself.

The first time I heard of this requirement, I understandably went, “WTF?!”. This is virtually unheard of to me. Especially considering the security repercussions that could happen. Before I joined, the company achieved this through the following strange manner:

  1. Share the local “C:\Program Files” directory and map it as Z: drive
  2. Link the necessary apps from the CMS as “file:///Z:/Path To Executable/app.exe”
  3. Take it from there 🙂

The first thought that went through my mine was that there’s got to be a better way of achieving this without actually sharing the “Program Files” directory on the local machine. Eventhough the permissions for this folder was set properly (again by yours truly, via XCACLS), it just seem like a very unnatural way of achieving this requirement. My esteemed colleagues said they’ve tried running the apps directly off the C: drive using something like “file:///C:/Program Files/Dir/app.exe”, but failed miserably. Frankly, I don’t find this strange as even how perceivedly insecure Windows is, it couldn’t be so ridiculously dumb to fool the browser (IE) to run local apps! Furthermore, what the heck is wrong in running the damn apps from shortcuts anyway?!

That was when I had an idea… ok, just create the damn shortcuts, upload them to the CMS server, and link to the *.lnk files instead. And guess what, it friggin’ works… not that I expect anything else. There’s just no reason it shouldn’t. Shortcuts are still “normal” files anyway. Well, now we can unshare the “Program Files” directory and sleep soundly at night.

However, while I was playing with the *.lnk files, I was wondering… heck, I can upload a maliciously crafted shortcut somewhere and link to it via email or a free pr0n page or something. What’s there to stop idiots from being clicky-happy and launching themselves to *.lnk hell? Now that’s food for thought 😉

Sometimes, I’m just really glad I’m not running the popular OS beyond the office 🙂