[Add-on] RevCMS Bcrypt

Hi,

Today I release my version of bcrypt in RevCMS. It's just an add-on, and yeah it has been released somewhere else. It's just not out in the open and the threads that do have it are a bit confusing I guess. I don't honestly recommend bcrypt for retros that know how to defend their DB, I think it only works with retros that have a reputation of weak websites. Like injection etc.

Go to app/class.core.php and find this line:

PHP Code:

final public function hashed($password)     {         return md5($password);     }

and change it to:

PHP Code:

final public function hashed($password)     {         return password_hash($password, PASSWORD_BCRYPT);     }

Step 2, go to class.users.php and find something similar to:

PHP Code:

final public function userValidation($username, $password)    {                 global $engine;         if($engine->num_rows("SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "' LIMIT 1") > 0)        {            return true;        }                      return false;    }

then change it to:

PHP Code:

final public function userValidation($username, $password)    {                 global $engine;         if($engine->num_rows("SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "' LIMIT 1") > 0)        return password_verify($password);    }

Re: [Add-on] RevCMS Bcrypt

I think you should also include the code for logging in, i'm pretty sure that if u only use this you just make your site unable to be logged in :D

atm it looks something like this:

Code:

function auth_login(){ if($hashfromdb == hashed($_POST['passu'])){ return true; }else{ return false; }

Wont work because every time you do password_hash($x) it returns a different hash. You should be using password_verify() instead.

Code:

function auth_login(){ if(password_verify($_POST['passu'], $hashfromdb)){ return true; }else{ return false; }

Re: [Add-on] RevCMS Bcrypt

Good shit, although people should be moving away from this CMS and not extending it's life.

Re: [Add-on] RevCMS Bcrypt

Quote:

Originally Posted by Aamiainen

I think you should also include the code for logging in, i'm pretty sure that if u only use this you just make your site unable to be logged in :D

atm it looks something like this:

Code:

function auth_login(){ if($hashfromdb == hashed($_POST['passu'])){ return true; }else{ return false; }

Wont work because every time you do password_hash($x) it returns a different hash. You should be using password_verify() instead.

Code:

function auth_login(){ if(password_verify($_POST['passu'], $hashfromdb)){ return true; }else{ return false; }

Thanks for reminding me lol.

Fixed post - includes password_verify($password) now. (RZ kinda fucked the styling, easy fix.)

Re: [Add-on] RevCMS Bcrypt

still unusable

boolean password_verify ( string $password , string $hash )

Re: [Add-on] RevCMS Bcrypt

@Jonteh has a good point, or tho this is a decent upgrade users should be moving away from Rev, Yes it was a good CMS but has now become outdated.

Re: [Add-on] RevCMS Bcrypt

Bcrypt never let me down, for sure less decryptable than md5. Thanks!
Do note you can't simply change the hashing method if your hotel already has a user base. Old users will not be able to login again.

Re: [Add-on] RevCMS Bcrypt

Quote:

Originally Posted by MrSpooks

@Jonteh has a good point, or tho this is a decent upgrade users should be moving away from Rev, Yes it was a good CMS but has now become outdated.

Indeed. This is very outdated code, although from the releases it's still the easiest to use.
From my point of view I see 4 usable CMS's: Chocolatey, RevCMS, BainCMS. Chocolatey uses framework and it actually crashed my hotel several times. BrainCMS I have never used, so can't really say anything about it. I don't personally like RevCMS, I believe it's just easier to use for people.

Re: [Add-on] RevCMS Bcrypt

Quote:

Originally Posted by Theft

Chocolatey uses framework and it actually crashed my hotel several times.

I don't quite understand how a CMS could crash your Hotel? I understand he's butchered the Lumen Framework but even so, your hotels configuration must be terrible.

Re: [Add-on] RevCMS Bcrypt

Quote:

Originally Posted by Theft

Indeed. This is very outdated code, although from the releases it's still the easiest to use.
From my point of view I see 4 usable CMS's: Chocolatey, RevCMS, BainCMS. Chocolatey uses framework and it actually crashed my hotel several times. BrainCMS I have never used, so can't really say anything about it. I don't personally like RevCMS, I believe it's just easier to use for people.

Wait. A CMS crashed your hotel? I'm sure something's wrong in your hotel configuration...

Re: [Add-on] RevCMS Bcrypt

Quote:

Originally Posted by NoBrain

I don't quite understand how a CMS could crash your Hotel? I understand he's butchered the Lumen Framework but even so, your hotels configuration must be terrible.

This guy sounds to me like he had an issue so instead of figuring out what actually caused the problem he's just blaming the first thing that comes to mind.

A CMS crashing a hotel. Fantastic.

Re: [Add-on] RevCMS Bcrypt

Knowing the userbase on thefts hotels i'd say it's most likely possible that someone has exploited the cms to crash the emu. But idk if thats even possible, never used chocolatey myself.

Re: [Add-on] RevCMS Bcrypt

Quote:

Originally Posted by NoBrain

I don't quite understand how a CMS could crash your Hotel?

Never underestimate the true power of PhP.

Re: [Add-on] RevCMS Bcrypt

Quote:

Originally Posted by NoBrain

I don't quite understand how a CMS could crash your Hotel?

Quote:

Originally Posted by maritnmine

Never underestimate the true power of PhP.

That might be the main reason lord @maritnmine made a CMS in ASP.NET in the past.

Re: [Add-on] RevCMS Bcrypt

Quote:

Originally Posted by Yesser

That might be the main reason lord @maritnmine made a CMS in ASP in the past.

It was in ASP.NET, not ASP.

Re: [Add-on] RevCMS Bcrypt

Quote:

Originally Posted by maritnmine

Never underestimate the true power of PhP.

^^ Was using an old version of Chocolatey, probably had some backdoors or still does. I have nothing against Choco, great project and appreciate the effort @saamus , overall amazing CMS. Just bad experiences. Like Aamiainen stated below, our community is sh*t. If there is a way to attack, it happens.

Quote:

Originally Posted by Aamiainen

Knowing the userbase on thefts hotels i'd say it's most likely possible that someone has exploited the cms to crash the emu. But idk if thats even possible, never used chocolatey myself.

Re: [Add-on] RevCMS Bcrypt

Hi, I was summoned here, eggeg. Thanks fr the concerns @Theft.

But as @maritnmine said, never, never under estimate the power of php. But anyways, how did Chocolatey crashed your hotel? I never received any Issue report of that kind of bug.

Yeah, Chocolatey has some "small" security issues, but none of them are from the Chocolatey itself. Are things like I forgot to block access to the .env file with .htaccess and web.config

Things like that..

Chocolatey uses Lumen Framework, maintained by Laravel. A really great and big community. All the inputs and outputs are handled and managed by Lumen. I don't do any "garbage" code or really complex code or any code that directly takes the input without using the Laravel's Facades.

Also Chocolatey it's on my opinion really easy to use. But yes, I receive a lot of issues of people even knowing how to execute the Laravel's Artisan Helper to Migrate the Database Entities.

Anyways, the community reports suggestions and bugs really often on Chocolatey's GitHub repository, and I'm continuously updating it.

Since there aren't really new things to code, Chocolatey state-of-art is in bug fixes and code improvements, since 98/99% of all Habbo.com features are litereally coded on the exactly way as of Habbo does. (Or something really near to the original experience).

Best regards,
saamus