The GENESIS script lets you administer your web page from your web browser. It includes an interface for listing all files in a directory, editing text or HTML files, creating text or HTML files, uploading binary, text or HTML files from your home computer, deleting files, and renaming files. The script supports unlimited nested subdirectories and allows you to create, delete, rename, and switch directories as you work.

It comes with a help file which addresses security issues and describes how to set up user authentication (password-locked directories) on your system, among other things.

Version 1.2 was released on March 16, 1997.

Demo the GENESIS Script
View a Directory Created by GENESIS

View the code (text file)
Download the script and this help file (zip file)

• Why Would I Want to Use GENESIS?
• System Requirements
• Installation and Configuration
• Security Issues
• Trouble-shooting
• Creative Applications
• Copyright Information and Notification of Updated Versions
• Why is it named GENESIS?
• Credits and Other Stuff

Convenience and flexibility.

It is convenient because it allows real-time changes to your web page from your web browser. You don't have to use an editor, an FTP program, and a web browser to make & test changes.

It is flexible because you can give publishing privileges to validated users without giving them your password.

Despite the use of web page templates and a user-friendly interface, this script was never intented to compete with a real text or HTML editor, or a real FTP program. It's sole utility arises from it's ability to combine some features of both in a server-side program.

To run GENESIS you must have access to the Internet and a unix-based web page (either a personal web page or your own server, it doesn't matter). The provider must allow custom CGI scripts, support htaccess authentication, and allow writable web directories. Most do.

If you don't have such a web page, they are available for a few dollars per month from hundreds of different companies. You can get an excellent full-service account from Illumanti Online for $10 per month. They are one of the best. If you need your own domain name and lots of storage space, Pair Networks works great. This account (xav.com) is hosted by Pair.

To run this script you should have some knowledge of HTML, and you should have successfully installed a more basic script at some point. If you don't understand directory permissions and htaccess protection, please do not use this script! It creates a massive security risk if not properly installed.

Tech details: GENESIS was designed on the C2NET public server, which uses FreeBSD, Stronghold, and Perl5.003. It has been successfully run on other FreeBSD servers with Perl 4 & higher and Apache servers 1.1 & higher. Version 1.2 fixes the un-escaped @ bug which showed up on some systems.

Installation of GENESIS requires four (4) files, one (1) directory creation, five (5) changes in permissions, and the editing of one (1) document. These eleven (11) steps will be addressed in order. The installation process should take less than five minutes.

The Four Files -
Place the following documents on your web server. genesis.cgi should be placed in the directory where your other scripts go (usually cgi-bin). If you download the text version, rename it "genesis.cgi" at some point. genesis.dat is the preferences file. Place it anywhere in your web directory. log.txt is the file which records everything that GENESIS does. Place it anywhere in your web directory except the sub-directory which GENESIS uses to create documents. black.gif is a small image that is used to submit forms. Place it with the rest of your images. You may download all of these as a zip file. The zip file contains some extras, such as this help file and some ready-to-use templates, which you'll find useful.

The One Directory Creation -
GENESIS starts with one web directory. Within this directory it will create new sub-directories, new files, and so on. Create a directory for GENESIS to work from by typing mkdir genesis at your telnet prompt. You could also create a new directory with your FTP client (replace "genesis" with whatever directory name you'd like to use). If you'd like, you can use an already existing directory, or your root web directory, as a base. If so, you'll have to make all pre-existing files and sub-directories writable.

The Five Permissions -
The script must be readable and executable. The preferences file must be readable and writable. The log file must be readable and writable. The image must be readable. The directory must be readable, writable, and executable. These permissions, or modes, may be set by your FTP client, or via telnet. In telnet, type:

chomd a+rx  genesis.cgi
chomd a+rw  genesis.dat
chomd a+rw  log.txt
chmod a+r   black.gif
chomd a+rwx genesis

You may wish to specify the full directory path to these files and one directory.

The One Editing -
Open genesis.cgi in a text editor such a Pico. Scroll down. The first variables you will be asked for are the path and URL of the directory we just created. Enter these next to $data_path and $data_http, respectively (remember to include trailing slashes). Do not modify $core_data_path.

Scrolling down further, you will be asked to provide the full path and filename of your preferences file. Do so.

The next variable, the $cgi_url, holds the relative URL for the script. If you have changed the name to something other than genesis.cgi, enter that new name here. Otherwise, move on.

$logfile is the full path and filename of your log file. If you don't want to bother with logging, set $logfile = '';.

$black_url is the web address of the black image we downloaded earlier. You are welcome to leave it as is and use our image, but your system might be faster.

The next three variables determine the security of your script. If $execute = 'yes', any new files created can be working CGI scripts or documents with SSI calls. $allowed_space is the number of kilobytes which a user can add in the GENESIS directory. $allowed_upload is the size limit, in kilobytes, of uploaded files.

The final three variables are the default locations of some common UNIX commands on your system. You should not have to modify these. The script should work now. You are welcome to edit the rest of the code as your like - much of it is just straight HTML.

If someone can get to your GENESIS script, he can delete or modify all of your web pages, or add his own. He can also upload illegal files (i.e., stolen software) for worldwide distribution. Finally, if the $execute = 'yes' option is set, he can place his own scripts in your web directory and use them to damage other files on the server. He could even install his own GENESIS script without any of the directory, executable, or file size restrictions that you have included in yours.

For this reason, it should be difficult to get to the GENESIS script. The best way is to hide it - layer it within several levels of subdirectories, and rename it something else. Don't tell anyone that you have it and are using it.

When you don't need to use it, de-activate it with:

chmod 400 genesis.cgi

For example, if you activate it for a client who needs to upload and configure his web page, you can de-activate it afterwards and have him call you when he needs it again. If you use it for your own benefit and will be off the net for a few weeks, shut it down so you don't return to any unpleasant surprises. It can be re-activated at any time by typing:

chmod 755 genesis.cgi

Make sure to set your $allowed_space variable to some reasonable value. Five megabytes, or '5000', should be plenty for most pages. By setting $allowed_upload between 30 and 50 you will be able to upload most files for a standard web page, but a person could not upload a zipped piece of stolen software.

In addition to these basic steps, you can require a valid username and password to use the script. In the same directory that contains GENESIS, create the following text file named .htaccess:

AuthType Basic
AuthName EDEN
AuthGroupFile /dev/null
AuthUserFile /home/adam/.htpasswd

<LIMIT GET POST PUT>
require user adam
</LIMIT>

where /home/adam is your personal login directory, and adam is replaced with the username that you would like to use. The file we just created will tell the Apache webserver (and variants thereof) to authenticate (ask for username and password) before a visitor can use the directory in which it resides. It says that the visitor must have username adam, and that his password must agree with the one in the .htpasswd file. So our next step is to create this password file.

At the unix prompt, type:

htpasswd -c /home/adam/.htpasswd adam

where /home/adam is your personal login directory, and adam is replaced with the username that you would like to use. Your server will ask you for twice for a password. If you want to change it later, you can run the same command later without the "-c" attribute.

We may have to make the .htaccess file readable and executable by the webserver:

chomd 555 .htaccess

Setting up .htaccess authentication is sometimes difficult, and not all unix machines support both the .htaccess protection and the htpasswd program. If your provider does not support these things, try a different one. ;)

We hope that this section does not make your overly paranoid - we just want to let you know what some of the dangers are, and to give some suggestions on how to decrease the risk. During beta testing this script was used on some fairly sensitive sites which withstand several attempted hacks daily, from both users on the same system and from users from outside, and no problems arose.

The script is run by going to the URL of the genesis.cgi file - there is no HTML page to anchor it. If you get a "malformed header" or "premature end of script headers" message, it is probably because the script was transferred as a binary file at some point. If you open the file with Pico, create and delete a line, and then save it, the problem usually goes away.

When you open the file in a text editor to set the configurable options, the editor might wrap long lines, which will prevent the script from working. We've tried to make all the lines 70 characters or less but some long commands went over that limit. Scroll through the script and make sure that no commands have been interrupted in mid-line.

If you can use the script but your changes aren't taking effect, make sure that your files and directories are writable. Type chmod 777 directory/*.* to make files writable, and chmod 777 directory to make the directory writable.

This is a very new script, and this is our first ever attempt at making a help file. If you have a problem, write to xav@xav.com and we will try to solve the problem and include the solution in this section.

This script can be used, in it's most basic version, to update and adminster web files residing on your web page. We trust that this is fairly straight-forward.

This script can also be used to update and adminster, from your account, other people's web pages which reside on the same server. For example, if Eve has a web page in the www/eve/ directory, Adam can set his $data_path and $data_http variables to her directory and control it from his script. Since Eve must set chmod 777 /www/eve/ (i.e., Eve makes her web directory world writable), she has the final word in whether or not another user can modify her web page.

This script can also modify and adminster other people's web pages without their consent if one or more of their files or directories have been made world-writable. For example, guestbooks and webboards are universally writable, as are access logs and other dynamic database files. Furthermore, if two users on the same server are both using GENESIS, there is no reason that they couldn't modify the contents of each other's directory. A search on the average web server will show that one out of every twenty or thirty users has, for whatever reason, made their web directories universally readable, writable and executable. These may be written to at will.

To determine whether or not a user's web directory is writable, you can telnet to your web directory, jump to the higher level directory (cd ..), and type ls -al. This command will list all users' web directories with their permissions. Therefore, to protect yourself, never make your root web directory writable. Instead, set chmod 705 /www/username/ and only give expanded permissions to internal sub-directories. By setting 705, you prevent other users on your system from looking inside your directory and probing the permissions of files and subdirectories.

The issues surrounding modification of others' web files can be solved by using CGIWrap, which we don't claim to understand. The link leads to more information. Bear in mind that these potential security holes on multi-user web servers have existed, and have been exploited (by some of us), long before GENESIS was created.

The ever-so-versatile GENESIS can also be used to view, and in some cases modify, the system files on your server. By setting $data_path to the root directory (/), you can list and open all files on the system, including /etc/passwd and its variants. If those files are universally writable, or writable by the group which contains nobody (they shouldn't be), you can modify the files. Doing so is not recommended for the average user, but might prove useful for systems administrators.

GENESIS is freeware, and all later versions will remain freeware. There are no restrictions on its use, nor are any warranties made or implied about its durability or fitness for a particular purpose. If you need help installing the script on your system, we will happily assist for a small fee - write to us at xav@xav.com.

While use is unrestricted, distribution requires the consent of the copyright holders, Xerxes Victoria and Zoltan Milosevic.

To receive notification via email when an updated version is released, send an email message to xav@xav.com to that effect. To help drive new updates, please send any suggestions and bug reports to the same address.

In the beginnings of life, we had all sorts of chemical processes (lightning, volcanoes, solar radiation) which added to the amount of organic compounds in the Earth. Finally, with a spark of life, the organic compounds came together into self-perpetuating organisms which could create their own compounds and improve themselves.

Similarly, in the early days of the web we had all these external programs which were used to write web pages and CGI scripts for the Internet. Now, with GENESIS, an HTML-based CGI script is used to create more HTML and CGI documents, without any other software. What's more, if you have two GENESIS scripts, they can be used to modify each other and thereby improve themselves. Very deep, eh?

This script was written by the Fluid Dynamics company, which is equivalent to saying that it was written by Xerxes Victoria and Zoltan Milosevic. (Yes, we are actively trying to recruit a programmer whose first name begins with a "Y".) The "list files" procedure is loosely based on code from Matt Wright's Simple Search Script, and the "file upload" procedure was borrowed from Jeff Carnahan's File Upload Script. We thank them for their help, and if you enjoy this script then please send them thanks as well. The modifications of these, and the rest of the code, were of our making. Everyone who finds bugs in the script will also be mentioned in this section if they want to be.

Release 1.2 (March 16, 1997) allows limiting the total disk space that GENESIS can edit. This is useful for webmasters who wish to give publishing rights to third parties, but don't want them to exceed their space allowance. Various bugs associated with processing executable files have been fixed. The TEXTAREA bug has been fixed. A new edit-on-the-fly option has been added to make writing HTML documents even more convenient, and many of the options can now be set by the user from the web interface. The user can create multiple text file templates for easy document editing. An optional log file records the IP address, date, and actions as they occur. This release fixes a security hole in older versions which allowed modifying files outside the given root directory using a forced GET method.

The new version is 100% backwards compatible. Please upgrade if only to fix the security hole.

Thanks go to Martin for pointing out and correcting the unescaped @ bug (for this script and all our others). He also pointed out and fixed the TEXTAREA bug in the document edit module. Also, thanks to Nick of CyberNet Technologies for valuable feedback on streamlining the edit module and including links at the top of each document.