Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[Add-on] RevCMS Bcrypt

Junior Spellweaver
Joined
Sep 12, 2013
Messages
146
Reaction score
66
Hi,

Today I release my version of bcrypt in RevCMS. It's just an add-on, and yeah it has been released somewhere else. It's just not out in the open and the threads that do have it are a bit confusing I guess. I don't honestly recommend bcrypt for retros that know how to defend their DB, I think it only works with retros that have a reputation of weak websites. Like injection etc.

Go to app/class.core.php and find this line:
PHP:
final public function hashed($password)
    {
        return md5($password);
    }
and change it to:
PHP:
final public function hashed($password)
    {
        return password_hash($password, PASSWORD_BCRYPT);
    }

Step 2, go to class.users.php and find something similar to:
PHP:
final public function userValidation($username, $password)	{ 				global $engine; 		if($engine->num_rows("SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "' LIMIT 1") > 0)		{			return true;		} 			 		return false;	}
then change it to:
PHP:
final public function userValidation($username, $password)	{ 				global $engine; 		if($engine->num_rows("SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "' LIMIT 1") > 0)		return password_verify($password);	}
 
Last edited:
Initiate Mage
Joined
Aug 9, 2016
Messages
83
Reaction score
11
I think you should also include the code for logging in, i'm pretty sure that if u only use this you just make your site unable to be logged in :D

atm it looks something like this:
Code:
function auth_login(){
   if($hashfromdb == hashed($_POST['passu'])){
       return true;
}else{
 return false;
}
Wont work because every time you do password_hash($x) it returns a different hash. You should be using password_verify() instead.

Code:
function auth_login(){
   if(password_verify($_POST['passu'], $hashfromdb)){
       return true;
}else{
 return false;
}
 
Junior Spellweaver
Joined
Sep 12, 2013
Messages
146
Reaction score
66
I think you should also include the code for logging in, i'm pretty sure that if u only use this you just make your site unable to be logged in :D

atm it looks something like this:
Code:
function auth_login(){
   if($hashfromdb == hashed($_POST['passu'])){
       return true;
}else{
 return false;
}
Wont work because every time you do password_hash($x) it returns a different hash. You should be using password_verify() instead.

Code:
function auth_login(){
   if(password_verify($_POST['passu'], $hashfromdb)){
       return true;
}else{
 return false;
}
Thanks for reminding me lol.

Fixed post - includes password_verify($password) now. (RZ kinda fucked the styling, easy fix.)
 
Initiate Mage
Joined
Aug 9, 2016
Messages
83
Reaction score
11
still unusable

boolean password_verify ( string $password , string $hash )
 
Experienced Elementalist
Joined
Nov 11, 2015
Messages
238
Reaction score
89
Bcrypt never let me down, for sure less decryptable than md5. Thanks!
Do note you can't simply change the hashing method if your hotel already has a user base. Old users will not be able to login again.
 
Junior Spellweaver
Joined
Sep 12, 2013
Messages
146
Reaction score
66
@Jonteh has a good point, or tho this is a decent upgrade users should be moving away from Rev, Yes it was a good CMS but has now become outdated.
Indeed. This is very outdated code, although from the releases it's still the easiest to use.
From my point of view I see 4 usable CMS's: Chocolatey, RevCMS, BainCMS. Chocolatey uses framework and it actually crashed my hotel several times. BrainCMS I have never used, so can't really say anything about it. I don't personally like RevCMS, I believe it's just easier to use for people.
 
Joined
Oct 26, 2012
Messages
2,357
Reaction score
1,086
Indeed. This is very outdated code, although from the releases it's still the easiest to use.
From my point of view I see 4 usable CMS's: Chocolatey, RevCMS, BainCMS. Chocolatey uses framework and it actually crashed my hotel several times. BrainCMS I have never used, so can't really say anything about it. I don't personally like RevCMS, I believe it's just easier to use for people.

Wait. A CMS crashed your hotel? I'm sure something's wrong in your hotel configuration...
 
Joined
Apr 30, 2007
Messages
2,337
Reaction score
1,547
I don't quite understand how a CMS could crash your Hotel? I understand he's butchered the Lumen Framework but even so, your hotels configuration must be terrible.
This guy sounds to me like he had an issue so instead of figuring out what actually caused the problem he's just blaming the first thing that comes to mind.

A CMS crashing a hotel. Fantastic.
 
Initiate Mage
Joined
Aug 9, 2016
Messages
83
Reaction score
11
Knowing the userbase on thefts hotels i'd say it's most likely possible that someone has exploited the cms to crash the emu. But idk if thats even possible, never used chocolatey myself.
 
Junior Spellweaver
Joined
Sep 12, 2013
Messages
146
Reaction score
66
Never underestimate the true power of PhP.
^^ Was using an old version of Chocolatey, probably had some backdoors or still does. I have nothing against Choco, great project and appreciate the effort saamus , overall amazing CMS. Just bad experiences. Like Aamiainen stated below, our community is sh*t. If there is a way to attack, it happens.
Knowing the userbase on thefts hotels i'd say it's most likely possible that someone has exploited the cms to crash the emu. But idk if thats even possible, never used chocolatey myself.
 
Joined
Sep 2, 2011
Messages
2,171
Reaction score
916
Hi, I was summoned here, eggeg. Thanks fr the concerns Theft.

But as maritnmine said, never, never under estimate the power of php. But anyways, how did Chocolatey crashed your hotel? I never received any Issue report of that kind of bug.

Yeah, Chocolatey has some "small" security issues, but none of them are from the Chocolatey itself. Are things like I forgot to block access to the .env file with .htaccess and web.config

Things like that..

Chocolatey uses Lumen Framework, maintained by Laravel. A really great and big community. All the inputs and outputs are handled and managed by Lumen. I don't do any "garbage" code or really complex code or any code that directly takes the input without using the Laravel's Facades.

Also Chocolatey it's on my opinion really easy to use. But yes, I receive a lot of issues of people even knowing how to execute the Laravel's Artisan Helper to Migrate the Database Entities.

Anyways, the community reports suggestions and bugs really often on Chocolatey's GitHub repository, and I'm continuously updating it.

Since there aren't really new things to code, Chocolatey state-of-art is in bug fixes and code improvements, since 98/99% of all Habbo.com features are litereally coded on the exactly way as of Habbo does. (Or something really near to the original experience).

Best regards,
saamus
 
Back
Top