[Arcturus|Chocolatey] SimpleHK for Chocolatey CMS

[klaudio007]

Hi all. This is a simple housekeeping writed in php for Chocolatey CMS and arcturus.This CMS include basic functionality, but would be useful for many users that don't know how to create one or that want to use Chocolatey CMS without spend time.
This Housekeeping is a little standalone(u can edit it for any other emu or cms).

To configure you will need to paste the files in a new folder inside /public folder or root. Then you will need to edit core.php file with correct db,user, pass and upload .sql to your database.

Some basic features:

• Search by name and edit users, currencies and activity points.
• Ban users and manage bans(delete).
• Room list and delete.
• Add and manage chocolatey news.
• Badge store - add badge to catalog page. Auto create badge definition on items_base. (You need to configure the badges catalog page and badges images folder on HK_CONFIG table).
• Add a new badge image - add name and description texts. (For this configure the location of your external_texts.txt in badge upload php files).
• Search and edit external_texts.
• Send badge. To online user(with alert and rcon) or send without alert if user is offline.
• Some rcon commands like refresh cata - Some of rcon commands dont work for now like disconnect when ban or update_items when refresh store.

Images:
https://imgur.com/a/rrFb2

Github:
https://github.com/qlaudio/SimpleHK

NOTE: This HK is responsive and easy to edit. For now the HK is only in spanish, but u can translate easily. Sorry for poor code.

NOTE II: This HK have some security issues. I updated all mysqli to PDO but still having some issues in other things. Please tell me or help me to fix if you found another vulnerability.

Credits:
me? I made this based on an old housekeeping for uber (HelioCMS or something).

[MentaL]

[Rubber]

Thnx mate works perfect!

[Kyle Betts]

Use it at your risk, I opened just one file and I saw multiple SQL Injection.
I could guess how many other vulnerabilites there are! :)

Spoiler:

$title = $_POST['title'];
	$category = $_POST['category'];
	$image_url = $_POST['image_url'];
	$stext = $_POST['stext'];
	$btext = $_POST['btext'];
	$author = $user_q['username'];
	$roomid = $_POST['roomid'];
	$image_url_thumb = $_POST['image_url_thumb'];
	$timestamp = date('Y-m-d H:i:s');
	mysqli_query($db,"INSERT INTO chocolatey_articles (title,description,content,categories,imageUrl,thumbnailUrl,author,roomId,created_at) VALUES ('$title','$stext','$btext','$category','$image_url','$image_url_thumb','$author','$roomid','$timestamp')");

[klaudio007]

Use it at your risk, I opened just one file and I saw multiple SQL Injection.
I could guess how many other vulnerabilites there are! :)

Spoiler:

$title = $_POST['title'];
	$category = $_POST['category'];
	$image_url = $_POST['image_url'];
	$stext = $_POST['stext'];
	$btext = $_POST['btext'];
	$author = $user_q['username'];
	$roomid = $_POST['roomid'];
	$image_url_thumb = $_POST['image_url_thumb'];
	$timestamp = date('Y-m-d H:i:s');
	mysqli_query($db,"INSERT INTO chocolatey_articles (title,description,content,categories,imageUrl,thumbnailUrl,author,roomId,created_at) VALUES ('$title','$stext','$btext','$category','$image_url','$image_url_thumb','$author','$roomid','$timestamp')");

I dont make security fixes. Add them if you want to use this and if you dont have reliable staffs.
Sorry for this. I Will Update to use pdo on Next version.

[Konquer]

I dont make security fixes. Add them if you want to use this and if you dont have reliable staffs.
Sorry for this. I Will Update to use pdo on Next version.

You can sql inject on the login so it doesn't really matter if your staff is reliable or not as anyone can view that page.

Nice to see some housekeeping releases regardless though :)

[klaudio007]

You can sql inject on the login so it doesn't really matter if your staff is reliable or not as anyone can view that page.

Nice to see some housekeeping releases regardless though :)

Ok. Please close this topic.

[Rubber]

Ok. Please close this topic.

Wauw you stop because of some feedback?
Common man keep it up! some people are very happy with it!

[Luicy]

Wauw you stop because of some feedback?
Common man keep it up! some people are very happy with it!

Seeing how this code had several flaws and open XSS injections for any client visitting the login page- I don't think this release should ever be shown to RaGEZONE forums ever again. I'm not saying that he should give up on releasing PHP scripts, but he should surely as hell learn about PHP security.

Here's a doc' that you (@klaudio007) should take your time to read: PHP: Security - Manual

[Rubber]

Seeing how this code had several flaws and open XSS injections for any client visitting the login page- I don't think this release should ever be shown to RaGEZONE forums ever again. I'm not saying that he should give up on releasing PHP scripts, but he should surely as hell learn about PHP security.

Here's a doc' that you (@klaudio007) should take your time to read: PHP: Security - Manual

This is What I mean don’t stop But learn

[klaudio007]

I dont have Time to spend with this now. I Will fix the security later. For now i removed the link. I make the page based on a old Uber housekeeping, so faster i think. Sorry and thanks all.

I Will Update the first post when i fix that vulnerabilities.

[Konquer]

No need to take down the link my friend. This is still a nice release as long as people are aware of the issues. Anyone can easily jump in and fix up the secutiry flaws if they want to :)

[klaudio007]

No need to take down the link my friend. This is still a nice release as long as people are aware of the issues. Anyone can easily jump in and fix up the secutiry flaws if they want to :)

Ok. I understand. But i prefer to fix and give a good HK. Wait me 2 days when i get home.

[Cankiee]

Fuck those security issues that we can fix ourselfs.

I want the fucking link. anyone can reupload this?

[Jeanzinh0]

Fuck those security issues that we can fix ourselfs.

I want the fucking link. anyone can reupload this?

Google cache: [Arcturus|Chocolatey] SimpleHK for Chocolatey CMS - RaGEZONE - MMO development community
Or direct link: https://github.com/qlaudio/SimpleHK

[ovflowd]

Guys, just calm down. For those doesn't know why this Housekeeping was released, there are some points:

I personally asked to the author release it, since I closed the Official Chocolatey Development for unknown time, due to lack of time for doing it, and lack of developers that want to contribute to it.

Actually Chocolatey it's the onliest CMS available that creates a 100% exact replica from Habbo.com. New CMS's are being developed, but until that we just have Chocolatey.

The main reason of just stopping updating Chocolatey, it's simple (also the main reason was just the lack of time), but the second biggest one, was the poor tech stack. Obviously we can see that the Habbo.com CMS it's made with Angular and at least Node.js or Vue.js, we can actually seer that it's basically impossible editing the front end layer of Chocolatey since all te assets are actually compiled (even the CSS, JS and Images).

The right way was since from the beginning, using Sass or Less for stylizing, some ImagePack Library for generating the image bundles, and NodeJS or VueJS in order to create the Angular modules, and packing it. Also NodeJS would be a better fit for the backend.

I could use Lumen for it, If literally Lumen was only being used for the backend, but I did a bad use of Laravel's Lumen, using a Micro Framework made for API handling also Frontend.

Laravel's also has the Laravel Mix package for Node, that allows packaging modules, but JSPM would be a better fit.

Also for the backend I personally would choose Groovy + Grails or just Java + Spring Boot or just NodeJS.

Chocolatey was an experiment that made success and popular, but I actually knew since from the beginning that maintaining it and adding new features would be practically impossible.

The fact it's that creating a good coded CMS, and well packaged with a decent tech stack really would spend my time more than was actually spent.

I'm really happy that @LeChris is doing a decent "replica" of Habbo.com (I can't say it's a replica/clone because he's adding custom stuff).

Yes, this HK has vulnerabilities, if you're just bothered with that, and want to use it, fix yourself.

The OP shared it because I asked, and a lot of people want continue to use Chocolatey because even not being a piece of art in terms of code, it's actually a gem in terms of what we have for Habbo Retro CMS's.

I would love if people just collaborate and help each other improving this HK.

I also probably when getting more time, would ask to @LeChris if I can team up with him and help him in his CMS. If he really manage to do a decent job on it, rapidly will surpass chocolatey.

I'm really sorry for not having time to continuing Chocolatey, after seeing @LeChris work I was both happy and sad. Happy because someone it's doing a great job, sad because the days of Chocolatey were in their end.

Thanks for all the support of everyone!