[Secured]MapleBit CMS Security Enhancement

Results 1 to 13 of 13
  1. #1

    config [Secured]MapleBit CMS Security Enhancement

    [Secured]MapleBit CMS Security Enhancement
    MapleBit Re Secured
    Hey Guys, This is the original MapleBit from greenelfx github repository
    just modified by me & friends against SQL-Injections & Cross Site Scripting
    Have Fun!
    Mega Download Link

    Original MapleBit Repository

    Credits
    MapleBit - greenelfx

    Security - Gerry


  2. #2
    Account Upgraded | Title Enabled! Las Systos is offline
    True MemberRank
    Mar 2015 Join Date
    NetherlandsLocation
    238Posts

    Re: [Secured]MapleBit CMS Security Enhancement

    How can anybody trust that you didn't add exploits yourself when nobody even likes you? This doesn't even block sharpacex.
    What's mine is yours,
    for a price.

  3. #3
    Member izarooni is offline
    MemberRank
    Jul 2013 Join Date
    My RoomLocation
    30Posts

    Re: [Secured]MapleBit CMS Security Enhancement

    I did a quick look and it seems like all that was changed are POST/GET inputs being escaped. I mean I guess it's a start to fixing MapleBit.
    If you really want to help out the development of the website, you should be making pull requests to the GitHub repository. It doesn't really make sense to be releasing the code like this when you know the repository exists and can clearly see it has been updated recently.

  4. #4
    very green greenelfx is offline
    True MemberRank
    Jul 2011 Join Date
    1,322Posts

    Re: [Secured]MapleBit CMS Security Enhancement

    Quote Originally Posted by izarooni View Post
    I did a quick look and it seems like all that was changed are POST/GET inputs being escaped. I mean I guess it's a start to fixing MapleBit.
    If you really want to help out the development of the website, you should be making pull requests to the GitHub repository. It doesn't really make sense to be releasing the code like this when you know the repository exists and can clearly see it has been updated recently.
    yeah, I'm a bit confused as to why a re-released branch is necessary. seems to make more sense to release a pull request on github and merge it into master. I don't actively work on MapleBit at all (just for nostalgia whenever is strikes every few years :D), but I'm active on Github and am always happy to accept security and bug fixes.

  5. #5
    Member Drum is offline
    MemberRank
    Jul 2013 Join Date
    80Posts

    Re: [Secured]MapleBit CMS Security Enhancement

    Quote Originally Posted by greenelfx View Post
    yeah, I'm a bit confused as to why a re-released branch is necessary. seems to make more sense to release a pull request on github and merge it into master. I don't actively work on MapleBit at all (just for nostalgia whenever is strikes every few years :D), but I'm active on Github and am always happy to accept security and bug fixes.
    agreed - definitely PR anything like that. thanks for your availability!

    i recall running a pentest tool over MapleBit a while ago (OWASP ZAP), and it didn't find anything major at all, particularly nothing related to XSS or SQL injection vulnerabilities as described by OP. although to be fair i'm not an expert at using it.

    do you have any general thoughts on how secure MapleBit is at the moment?
    are there any areas you're aware of that particularly need some work?

  6. #6
    very green greenelfx is offline
    True MemberRank
    Jul 2011 Join Date
    1,322Posts

    Re: [Secured]MapleBit CMS Security Enhancement

    Quote Originally Posted by Drum View Post
    agreed - definitely PR anything like that. thanks for your availability!

    i recall running a pentest tool over MapleBit a while ago (OWASP ZAP), and it didn't find anything major at all, particularly nothing related to XSS or SQL injection vulnerabilities as described by OP. although to be fair i'm not an expert at using it.

    do you have any general thoughts on how secure MapleBit is at the moment?
    are there any areas you're aware of that particularly need some work?
    Probably unifying how GET/POST params are processed. Would be nice to integrate some library that handles sanitization/escaping of user input rather than having 20 different implementations in the codebase. Secondly, the SQL layer is pretty bad, with raw queries and directly accessing mysqli. Would be nice to have an ORM layer instead, but that'd be a huge rewrite for not much actual gain other than code cleanliness.

    The problem with improving MapleBit is that you quickly realize how outdated the website is. There's no concept of routing, controllers, views, etc. Everything is intermingled (as rudimentary PHP sites were back in the day when MapleBit was written). The more you dig into it, the more improving it seems like a waste of time since only a complete rewrite would be "worth it"

    So if you're looking for things to work on, I'd just hack on the bits and pieces that are "auxiliary" to MapleBit like improving input handling, cleaning up old scripts, etc.

  7. #7
    Interesting... SharpAceX is offline
    Alpha MaleRank
    Oct 2008 Join Date
    2,009Posts

    Re: [Secured]MapleBit CMS Security Enhancement

    Quote Originally Posted by Drum View Post
    agreed - definitely PR anything like that. thanks for your availability!

    i recall running a pentest tool over MapleBit a while ago (OWASP ZAP), and it didn't find anything major at all, particularly nothing related to XSS or SQL injection vulnerabilities as described by OP. although to be fair i'm not an expert at using it.

    do you have any general thoughts on how secure MapleBit is at the moment?
    are there any areas you're aware of that particularly need some work?
    It's pretty public that MapleBit has several major SQL injections, none of which this release addressed whatsoever (but we all knew that anyways). As Green said, MapleBit was written a long time ago, so for its time it did what it needed to do, but in 2019, the entire architecture violates several best practices. You could spend the time trying to patch holes but the entire code base is an unmaintainable mess thanks to its monolithic nature. That's not an attack on anybody, that's just how things were done back then. I wouldn't even suggest bothering trying to "re-write" it. It would be more like just a brand new project completely unrelated to the current MapleBit in any way, shape or form.

    I've considered on several occasions to just release some of the exploits I have (or simply make the PR myself to the repo) but then I remember that this community doesn't even bother to keep credits on things other people create, so I decide against it. To my knowledge, the major exploits are only known by very few people so MapleBit is still generally safe to use (as evident by the many servers that use it in production right now with no issues), so I wouldn't worry about its security all that much.
    https://mapleme.me/
    The memes of the Maple community all in one place.

  8. #8
    very green greenelfx is offline
    True MemberRank
    Jul 2011 Join Date
    1,322Posts

    Re: [Secured]MapleBit CMS Security Enhancement

    Quote Originally Posted by SharpAceX View Post
    It's pretty public that MapleBit has several major SQL injections, none of which this release addressed whatsoever (but we all knew that anyways). As Green said, MapleBit was written a long time ago, so for its time it did what it needed to do, but in 2019, the entire architecture violates several best practices. You could spend the time trying to patch holes but the entire code base is an unmaintainable mess thanks to its monolithic nature. That's not an attack on anybody, that's just how things were done back then. I wouldn't even suggest bothering trying to "re-write" it. It would be more like just a brand new project completely unrelated to the current MapleBit in any way, shape or form.

    I've considered on several occasions to just release some of the exploits I have (or simply make the PR myself to the repo) but then I remember that this community doesn't even bother to keep credits on things other people create, so I decide against it. To my knowledge, the major exploits are only known by very few people so MapleBit is still generally safe to use (as evident by the many servers that use it in production right now with no issues), so I wouldn't worry about its security all that much.
    if you don't mind, you should share the exploits (privately). at the very least for my own curiosity :)

  9. #9
    Interesting... SharpAceX is offline
    Alpha MaleRank
    Oct 2008 Join Date
    2,009Posts

    Re: [Secured]MapleBit CMS Security Enhancement

    Quote Originally Posted by greenelfx View Post
    if you don't mind, you should share the exploits (privately). at the very least for my own curiosity :)
    nice meme
    https://mapleme.me/
    The memes of the Maple community all in one place.

  10. #10
    Kaotic Owner resinate is offline
    Alpha MaleRank
    Oct 2005 Join Date
    no mans landLocation
    2,374Posts

    Re: [Secured]MapleBit CMS Security Enhancement

    after installing site, i setup everything i can see online info and all that, but when i click on register all i see is blank page with login panel on left side. rest is blank.
    using heavenms source. does java 7 or 8 matter with this cms?

  11. #11
    Member Masaaku is offline
    MemberRank
    Sep 2018 Join Date
    89Posts

    Re: [Secured]MapleBit CMS Security Enhancement

    Quote Originally Posted by resinate View Post
    using heavenms source. does java 7 or 8 matter with this cms?
    Last edited by Masaaku; 18-02-20 at 07:28 PM.
    Yeet.
    kek.

  12. #12
    Interesting... SharpAceX is offline
    Alpha MaleRank
    Oct 2008 Join Date
    2,009Posts

    Re: [Secured]MapleBit CMS Security Enhancement

    In addition to having a join date of October 2005 and not even knowing that the source's Java version has nothing to do with the CMS, @resinate is looking for web dev help but he's trying really hard to scam/low ball people. He doesn't even know how much work the job he's hiring for entails but he wanted me to throw a number first, and when I refused, he just got upset and gave up all negotiation entirely lmao. What a swell guy he is:

    https://mapleme.me/
    The memes of the Maple community all in one place.

  13. #13
    Member Masaaku is offline
    MemberRank
    Sep 2018 Join Date
    89Posts

    Re: [Secured]MapleBit CMS Security Enhancement

    Quote Originally Posted by SharpAceX View Post
    In addition to having a join date of October 2005 and not even knowing that the source's Java version has nothing to do with the CMS, @resinate is looking for web dev help but he's trying really hard to scam/low ball people. He doesn't even know how much work the job he's hiring for entails but he wanted me to throw a number first, and when I refused, he just got upset and gave up all negotiation entirely lmao. What a swell guy he is:

    https://mapleme.me/resinate SoonTM
    Yeet.
    kek.



Advertisement