[BETA] MapleBitCMS

Page 37 of 46 FirstFirst ... 272930313233343536373839404142434445 ... LastLast
Results 541 to 555 of 681
  1. #541
    Registered Trait is offline
    MemberRank
    Apr 2016 Join Date
    8Posts

    Re: [BETA] MapleBitCMS

    [BETA] MapleBitCMS
    This CMS is quite exposed to XSS in theory, you should consider using htmlentities()/htmlspecialchars() and strip_tags() or optionally run it through a RegEx to strip script tags.
    Nevertheless, cute site.

  2. #542
    very green greenelfx is offline
    True MemberRank
    Jul 2011 Join Date
    1,322Posts

    Re: [BETA] MapleBitCMS

    Quote Originally Posted by Trait View Post
    This CMS is quite exposed to XSS in theory, you should consider using htmlentities()/htmlspecialchars() and strip_tags() or optionally run it through a RegEx to strip script tags.
    Nevertheless, cute site.
    If you find any vulnerabilities let me know via PM, or submit a PR :)

  3. #543
    Registered Trait is offline
    MemberRank
    Apr 2016 Join Date
    8Posts

    Re: [BETA] MapleBitCMS

    Quote Originally Posted by greenelfx View Post
    If you find any vulnerabilities let me know via PM, or submit a PR :)
    It's quite simple, hacking a database is easier than hacking a host.
    Following this principle, every piece of data you output that came from the database needs to be escaped because if your database is hacked, the attacker could potentially add malicious code (Javascript) to some of the data and that whenever that data is called, it may look normal but the malicious script will be injected on client side, this is a really good way of attacking your victim because in most cases the victim will not even know they are being attacked because for the most part, the visualized output is the same and the malicious part is a <script> tag that's being presented but cannot be seen without viewing the HTML source code.

    It's a very simple way to initiate an attack, often undetectable.

  4. #544
    very green greenelfx is offline
    True MemberRank
    Jul 2011 Join Date
    1,322Posts

    Re: [BETA] MapleBitCMS

    Quote Originally Posted by Trait View Post
    It's quite simple, hacking a database is easier than hacking a host.
    Following this principle, every piece of data you output that came from the database needs to be escaped because if your database is hacked, the attacker could potentially add malicious code (Javascript) to some of the data and that whenever that data is called, it may look normal but the malicious script will be injected on client side, this is a really good way of attacking your victim because in most cases the victim will not even know they are being attacked because for the most part, the visualized output is the same and the malicious part is a <script> tag that's being presented but cannot be seen without viewing the HTML source code.

    It's a very simple way to initiate an attack, often undetectable.
    I understand how SQL injection works. MapleBit in my mind is inherently insecure because it is not built on a large open source framework, so we don't get nice things like MVC and access to the diverse package ecosystem PHP has to offer. So, if you find any actual, reproduceable, security issues please let me know.

  5. #545
    Registered Trait is offline
    MemberRank
    Apr 2016 Join Date
    8Posts

    Re: [BETA] MapleBitCMS

    Quote Originally Posted by greenelfx View Post
    I understand how SQL injection works. MapleBit in my mind is inherently insecure because it is not built on a large open source framework, so we don't get nice things like MVC and access to the diverse package ecosystem PHP has to offer. So, if you find any actual, reproduceable, security issues please let me know.
    I wasn't referring to SQL injections, I was talking about XSS (Cross-site scripting).

    Simply put, hacking a Database server is fairly easy, basically if your database server is hacked, the attacker can use your website to spread malicious virus or inject his own Javascript code, without you - the administrator or your users knowing about it.

    It seems like you heavily underestimate this security issue, this issue is extremely serious because for the most part, an attacker could easily inject a VB code and make you - the user, download a virus file that attaches itself to say your svchost.exe or explorer.exe services and you still wont know about it.

    It's enough that your Database, or a related service will have a zero day vulnerability or will be outdated, to become a huge risk not just to your precious data, but to your visitors.

  6. #546
    very green greenelfx is offline
    True MemberRank
    Jul 2011 Join Date
    1,322Posts

    Re: [BETA] MapleBitCMS

    Quote Originally Posted by Trait View Post
    I wasn't referring to SQL injections, I was talking about XSS (Cross-site scripting).

    Simply put, hacking a Database server is fairly easy, basically if your database server is hacked, the attacker can use your website to spread malicious virus or inject his own Javascript code, without you - the administrator or your users knowing about it.

    It seems like you heavily underestimate this security issue, this issue is extremely serious because for the most part, an attacker could easily inject a VB code and make you - the user, download a virus file that attaches itself to say your svchost.exe or explorer.exe services and you still wont know about it.

    It's enough that your Database, or a related service will have a zero day vulnerability or will be outdated, to become a huge risk not just to your precious data, but to your visitors.
    I'm not really sure what you're trying to get at, so let me restate what I've said twice already. I understand XSS/SQL vulnerabilities. I understand that MapleBit may be vulnerable in places. I have done my due diligence when I was actively coding this CMS to ensure that these issues are not present. If you find issues yourself in the code, let me know privately so I can address them.

    I should also clarify that any plain PHP CMS has a possibility of being vulnerable. Obviously if I were to start this project all over in 2016, I would be building it with Symfony components, or using another language all together. Open source projects like MapleBit rely on the eyes of other developers to ensure security.

  7. #547
    Registered rittleee is offline
    MemberRank
    Apr 2016 Join Date
    15Posts

    Re: [BETA] MapleBitCMS

    can some1 help me please?
    im trying to register and its says

    but nothing actually happend in the database. ( it didnt insert the data)

    How can i fix it please?

  8. #548
    Registered VictorCalh is offline
    MemberRank
    May 2016 Join Date
    5Posts

    Re: [BETA] MapleBitCMS

    MapleBit Supporting version 62?

  9. #549
    very green greenelfx is offline
    True MemberRank
    Jul 2011 Join Date
    1,322Posts

    Re: [BETA] MapleBitCMS

    Quote Originally Posted by VictorCalh View Post
    MapleBit Supporting version 62?
    It's not version specific, so yes, it will work.

  10. #550
    very green greenelfx is offline
    True MemberRank
    Jul 2011 Join Date
    1,322Posts

    Re: [BETA] MapleBitCMS

    Cleaned up a lot of the functions that were leftover from Cype, 15kb -> 1.9kb, if that gives you an idea of how much was removed. I also cleaned up some of the code for member listing and profile pages. The only user-facing feature change is the "site online" feature, which was removed because I didn't think it was that useful, and it wasn't implemented in a way that I liked.

    Also, thanks to @holthelper for submitting his round of cleanups/fixes.
    ---
    updates:
    - Removed most functions in afuncs.php. Renamed to funcs.php for a fresh start!
    - Added better support for blocking login spam. Currently client sided (which technically makes it useless, but eventually will be offloaded to server side for actual security)
    - Refactored all main.php files: Now uses empty(), ===. Removed unnecessary auth checks. Fixed style.
    - Simplified main-news/events/gmblog with new ellipsize() function.
    - Refactored other files to match style.
    - Continued refactor of UCP
    - Remove unnecessary auth checks
    - Change variable names to more easily understandable names
    - Move country HTML in profile-edit to a function that returns an array of country names
    - Add check in profile-name to ensure user doesn't set the profile name to restricted names
    - Disconnect account now processes on page load, eliminating the need for an extra mouse click
    - Removed redundant implode/explode in character fix
    - Began refactoring of Admin Panel
    Last edited by greenelfx; 26-05-16 at 06:01 PM.

  11. #551
    Newbie derpal is offline
    MemberRank
    Aug 2015 Join Date
    2Posts

    Re: [BETA] MapleBitCMS

    Quote Originally Posted by rittleee View Post
    can some1 help me please?
    im trying to register and its says

    but nothing actually happend in the database. ( it didnt insert the data)

    How can i fix it please?
    I'm using the MapleSolaxia source and I fixed it by adding a required value into the tempban column.

    Add this variable to your register.php
    PHP Code:
    $tempban "1990-01-01 10:02:01"
    Then replace your query with this:
    PHP Code:
    $insert_user_query "INSERT INTO accounts (`name`, `password`, `ip`, `email`, `birthday`, `tempban`) VALUES ('".$username."', '".$password."', '".$ip."', '".$email."', '".$birth."', '".$tempban."')"
    Otherwise, the database will not let you create an account. I'm no MySQL expert and I don't understand PHP but this was the workaround I used.

    Alternatively there's this line in the SQL:
    PHP Code:
    `tempbantimestamp NOT NULL DEFAULT '0000-00-00 00:00:00' 
    Which should be setting the proper tempban value but for some reason it doesn't work if you don't set it manually?
    Last edited by derpal; 25-05-16 at 12:26 PM.

  12. #552
    very green greenelfx is offline
    True MemberRank
    Jul 2011 Join Date
    1,322Posts

    Re: [BETA] MapleBitCMS

    MapleBit officially updated to v1.14! If you are running an older version, it is recommended that you upgrade.
    This release contains many backend fixes, and not a whole lot of user-facing improvements. You can grab the release here. To view the differences between this and the previous release, refer to this link.

    I hope to have MapleBit completely refactored in a week or two. I realized that a lot of the code in the CMS literally dates back to when I was first learning how to program, so a lot of the code was really disorganized and hard to understand. I hope that this release has code that is more easily understandable!

  13. #553
    Member arnoldinyo is offline
    MemberRank
    Jan 2009 Join Date
    72Posts

    Re: [BETA] MapleBitCMS

    i have this issue...

    what should i do?
    the files in the C:\wamp\www\ directroy and GD extracted...


  14. #554
    Member iSrael is offline
    MemberRank
    May 2015 Join Date
    42Posts

    Re: [BETA] MapleBitCMS

    have this error too ^
    can some one help me ?

  15. #555
    very green greenelfx is offline
    True MemberRank
    Jul 2011 Join Date
    1,322Posts

    Re: [BETA] MapleBitCMS

    Fixed a really weird bug that @dorkie4ever found! Basically, if chrome finds malformed CSS, it loads the page twice. This causes an issue on news/events/blog pages, because it increments the page counter by 2, instead of just one! What a strange bug :P

    You can find the fix here.



Advertisement