Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[BETA] MapleBitCMS

Newbie Spellweaver
Joined
Apr 25, 2016
Messages
8
Reaction score
0
This CMS is quite exposed to XSS in theory, you should consider using htmlentities()/htmlspecialchars() and strip_tags() or optionally run it through a RegEx to strip script tags.
Nevertheless, cute site.
 
Newbie Spellweaver
Joined
Apr 25, 2016
Messages
8
Reaction score
0
If you find any vulnerabilities let me know via PM, or submit a PR :)
It's quite simple, hacking a database is easier than hacking a host.
Following this principle, every piece of data you output that came from the database needs to be escaped because if your database is hacked, the attacker could potentially add malicious code (Javascript) to some of the data and that whenever that data is called, it may look normal but the malicious script will be injected on client side, this is a really good way of attacking your victim because in most cases the victim will not even know they are being attacked because for the most part, the visualized output is the same and the malicious part is a <script> tag that's being presented but cannot be seen without viewing the HTML source code.

It's a very simple way to initiate an attack, often undetectable.
 
Joined
Jul 12, 2011
Messages
1,229
Reaction score
475
It's quite simple, hacking a database is easier than hacking a host.
Following this principle, every piece of data you output that came from the database needs to be escaped because if your database is hacked, the attacker could potentially add malicious code (Javascript) to some of the data and that whenever that data is called, it may look normal but the malicious script will be injected on client side, this is a really good way of attacking your victim because in most cases the victim will not even know they are being attacked because for the most part, the visualized output is the same and the malicious part is a <script> tag that's being presented but cannot be seen without viewing the HTML source code.

It's a very simple way to initiate an attack, often undetectable.

I understand how SQL injection works. MapleBit in my mind is inherently insecure because it is not built on a large open source framework, so we don't get nice things like MVC and access to the diverse package ecosystem PHP has to offer. So, if you find any actual, reproduceable, security issues please let me know.
 
Newbie Spellweaver
Joined
Apr 25, 2016
Messages
8
Reaction score
0
I understand how SQL injection works. MapleBit in my mind is inherently insecure because it is not built on a large open source framework, so we don't get nice things like MVC and access to the diverse package ecosystem PHP has to offer. So, if you find any actual, reproduceable, security issues please let me know.
I wasn't referring to SQL injections, I was talking about XSS ( ).

Simply put, hacking a Database server is fairly easy, basically if your database server is hacked, the attacker can use your website to spread malicious virus or inject his own Javascript code, without you - the administrator or your users knowing about it.

It seems like you heavily underestimate this security issue, this issue is extremely serious because for the most part, an attacker could easily inject a VB code and make you - the user, download a virus file that attaches itself to say your svchost.exe or explorer.exe services and you still wont know about it.

It's enough that your Database, or a related service will have a zero day vulnerability or will be outdated, to become a huge risk not just to your precious data, but to your visitors.
 
Joined
Jul 12, 2011
Messages
1,229
Reaction score
475
I wasn't referring to SQL injections, I was talking about XSS ( ).

Simply put, hacking a Database server is fairly easy, basically if your database server is hacked, the attacker can use your website to spread malicious virus or inject his own Javascript code, without you - the administrator or your users knowing about it.

It seems like you heavily underestimate this security issue, this issue is extremely serious because for the most part, an attacker could easily inject a VB code and make you - the user, download a virus file that attaches itself to say your svchost.exe or explorer.exe services and you still wont know about it.

It's enough that your Database, or a related service will have a zero day vulnerability or will be outdated, to become a huge risk not just to your precious data, but to your visitors.

I'm not really sure what you're trying to get at, so let me restate what I've said twice already. I understand XSS/SQL vulnerabilities. I understand that MapleBit may be vulnerable in places. I have done my due diligence when I was actively coding this CMS to ensure that these issues are not present. If you find issues yourself in the code, let me know privately so I can address them.

I should also clarify that any plain PHP CMS has a possibility of being vulnerable. Obviously if I were to start this project all over in 2016, I would be building it with Symfony components, or using another language all together. Open source projects like MapleBit rely on the eyes of other developers to ensure security.
 
Newbie Spellweaver
Joined
Apr 27, 2016
Messages
15
Reaction score
0
can some1 help me please?
im trying to register and its says
66Lxx6l - [BETA] MapleBitCMS - RaGEZONE Forums

but nothing actually happend in the database. ( it didnt insert the data)

How can i fix it please?
 

Attachments

You must be registered for see attachments list
Joined
Jul 12, 2011
Messages
1,229
Reaction score
475
Cleaned up a lot of the functions that were leftover from Cype, 15kb -> 1.9kb, if that gives you an idea of how much was removed. I also cleaned up some of the code for member listing and profile pages. The only user-facing feature change is the "site online" feature, which was removed because I didn't think it was that useful, and it wasn't implemented in a way that I liked.

Also, thanks to holthelper for submitting his round of cleanups/fixes.
---
updates:
- Removed most functions in afuncs.php. Renamed to funcs.php for a fresh start!
- Added better support for blocking login spam. Currently client sided (which technically makes it useless, but eventually will be offloaded to server side for actual security)
- Refactored all main.php files: Now uses empty(), ===. Removed unnecessary auth checks. Fixed style.
- Simplified main-news/events/gmblog with new ellipsize() function.
- Refactored other files to match style.
- Continued refactor of UCP
- Remove unnecessary auth checks
- Change variable names to more easily understandable names
- Move country HTML in profile-edit to a function that returns an array of country names
- Add check in profile-name to ensure user doesn't set the profile name to restricted names
- Disconnect account now processes on page load, eliminating the need for an extra mouse click
- Removed redundant implode/explode in character fix
- Began refactoring of Admin Panel
 
Last edited:
Initiate Mage
Joined
Aug 19, 2015
Messages
2
Reaction score
0
can some1 help me please?
im trying to register and its says
66Lxx6l - [BETA] MapleBitCMS - RaGEZONE Forums

but nothing actually happend in the database. ( it didnt insert the data)

How can i fix it please?

I'm using the MapleSolaxia source and I fixed it by adding a required value into the tempban column.

Add this variable to your register.php
PHP:
$tempban = "1990-01-01 10:02:01";

Then replace your query with this:
PHP:
$insert_user_query = "INSERT INTO accounts (`name`, `password`, `ip`, `email`, `birthday`, `tempban`) VALUES ('".$username."', '".$password."', '".$ip."', '".$email."', '".$birth."', '".$tempban."')";

Otherwise, the database will not let you create an account. I'm no MySQL expert and I don't understand PHP but this was the workaround I used.

Alternatively there's this line in the SQL:
PHP:
`tempban` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00'

Which should be setting the proper tempban value but for some reason it doesn't work if you don't set it manually?
 

Attachments

You must be registered for see attachments list
Last edited:
Joined
Jul 12, 2011
Messages
1,229
Reaction score
475
MapleBit officially updated to v1.14! If you are running an older version, it is recommended that you upgrade.
This release contains many backend fixes, and not a whole lot of user-facing improvements. You can grab the release To view the differences between this and the previous release,

I hope to have MapleBit completely refactored in a week or two. I realized that a lot of the code in the CMS literally dates back to when I was first learning how to program, so a lot of the code was really disorganized and hard to understand. I hope that this release has code that is more easily understandable!
 
Newbie Spellweaver
Joined
Jan 22, 2009
Messages
72
Reaction score
0
i have this issue...

what should i do?
the files in the C:\wamp\www\ directroy and GD extracted...

 
Joined
Jul 12, 2011
Messages
1,229
Reaction score
475
Fixed a really weird bug that dorkie4ever found! Basically, if chrome finds malformed CSS, it loads the page twice. This causes an issue on news/events/blog pages, because it increments the page counter by 2, instead of just one! What a strange bug :p

You can find the
 
Experienced Elementalist
Joined
Nov 21, 2008
Messages
297
Reaction score
38
Fixed a really weird bug that dorkie4ever found! Basically, if chrome finds malformed CSS, it loads the page twice. This causes an issue on news/events/blog pages, because it increments the page counter by 2, instead of just one! What a strange bug :p

You can find the

im curious, how is refactoring all of maplebit coming along? is that still a thing? :huh:
 
Joined
Jul 12, 2011
Messages
1,229
Reaction score
475
im curious, how is refactoring all of maplebit coming along? is that still a thing? :huh:

Yep! No actual code improvements (other than minor fixes here and there), unfortunately. Updating this site to 2016 PHP standards would be a waste of time, and it'd be way faster to start from scratch, but I don't have the time for that anymore :p
I'm hoping to have the site cleaned up by the end of summer, and turns out, we're pretty close to getting there! The only pages that need to be refactored now are the news/events/blog and corresponding management pages.

Refactoring the entire site means that I've caught a couple bugs, fixed a few things here and there. I wrote this site when I was learning PHP and programming, so sometimes you'll find things like this
PHP:
for($i = 0; $i <= $totalids-1; $i++)  // instead of for($i = 0; $i < $totalids; $i++) {
or
if($gettime['githubapi'] == "") // instead of empty
which obviously isn't the "right" way of doing things. Now that most of the code has been cleaned up, I can identify and fix issues/bugs faster (if they crop up at all now).
 
Newbie Spellweaver
Joined
Nov 28, 2015
Messages
18
Reaction score
0
How come calling onto character/guild table works in rankings.php but can't do accounts? I need a.banned to work so I can remove banned players from ranks. I remember a year ago I got so fed up with trying to fix it that I just did a sloppy work around and made banned column in characters and had all banned accounts = banned characters but there must be a much simpler way right? Lol.
 
Infraction Baɴɴed
Loyal Member
Joined
Apr 9, 2008
Messages
1,416
Reaction score
169
How come calling onto character/guild table works in rankings.php but can't do accounts? I need a.banned to work so I can remove banned players from ranks. I remember a year ago I got so fed up with trying to fix it that I just did a sloppy work around and made banned column in characters and had all banned accounts = banned characters but there must be a much simpler way right? Lol.
in the query you need to do a join accounts and characters based off account id *i believe* and do a check to see if banned >= 1.
 
Newbie Spellweaver
Joined
Nov 28, 2015
Messages
18
Reaction score
0
in the query you need to do a join accounts and characters based off account id *i believe* and do a check to see if banned >= 1.

i've tried and I think it won't let me because it already has a join guild?

Code:
g.logoBG AS logoBG FROM characters c LEFT JOIN guilds g ON c.guildid = g.guildid WHERE c.gm < $gmlevel

because i've tried doing

Code:
a.banned AS banned FROM characters c LEFT JOIN accounts a ON c.accountid = a.id WHERE c.gm < '$gmlevel' AND banned = 0

but it keeps giving an error saying I am not allowed and shows the g.logoBG line
 
Back
Top