zCMS [PHP, OOP, Phoenix, Secure]

Hey guys, quick release:

This is indeed the CMS I am using on my very own hotel, Zap Hotel. I believe I have secured it to the best of my ability, along with a couple custom features that you'll love, i'll list some of the features below for you:

• Change Password
• Set friend requests on/off
• Redeem gold bars by the hundreds on the site rather than manually on the client
• Fully functioning housekeeping (some may be missing due to the fact they are too custom to Zap to release)
• Exploit secured (to the best of my knoweledge)

Those are some of the features.

Make sure to execute this on your database:

PHP Code:

---

-- zCMS SQL - Import for your CMS to work correctly 
--  Credits to Meth0d for the uberCMS base & myself for editing and securing 
--  Credits to Hejula for pointing some shit out and some images 
--  Credits to davidaap for pointing out some exploits and helping me patch them when I was a n00b 
--  Please do not remove my credits, or Meth0ds for that matter. 
--  Copyright 2011
--
SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";
SET time_zone = "+00:00";
--
-- Table structure for table `site_config`
--

CREATE TABLE IF NOT EXISTS `site_config` (
  `maintenance` enum('0','1') NOT NULL DEFAULT '0',
  `web_build` varchar(255) NOT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

-- --------------------------------------------------------

--
-- Table structure for table `site_cron`
--

CREATE TABLE IF NOT EXISTS `site_cron` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `prio` int(11) NOT NULL DEFAULT '5',
  `enabled` enum('0','1') NOT NULL DEFAULT '1',
  `scriptfile` varchar(50) NOT NULL,
  `last_exec` int(11) NOT NULL,
  `exec_every` int(11) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=3 ;

-- --------------------------------------------------------

--
-- Table structure for table `site_hotcampaigns`
--

CREATE TABLE IF NOT EXISTS `site_hotcampaigns` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `order_id` int(11) NOT NULL DEFAULT '1',
  `enabled` enum('0','1') NOT NULL DEFAULT '1',
  `image_url` text NOT NULL,
  `caption` text NOT NULL,
  `descr` text NOT NULL,
  `url` text NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;

-- --------------------------------------------------------

--
-- Table structure for table `site_minimail`
--

CREATE TABLE IF NOT EXISTS `site_minimail` (
  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `sender_id` int(10) unsigned NOT NULL,
  `receiver_id` int(10) unsigned NOT NULL,
  `folder` enum('inbox','sent','trash') NOT NULL DEFAULT 'inbox',
  `is_read` enum('0','1') NOT NULL DEFAULT '0',
  `subject` varchar(120) NOT NULL,
  `date` varchar(120) NOT NULL,
  `isodate` varchar(120) NOT NULL,
  `timestamp` int(11) NOT NULL,
  `body` text NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=7075 ;

-- --------------------------------------------------------

--
-- Table structure for table `site_navi`
--

CREATE TABLE IF NOT EXISTS `site_navi` (
  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `parent_id` int(10) unsigned NOT NULL DEFAULT '0',
  `order_id` int(11) NOT NULL,
  `caption` text NOT NULL,
  `class` text NOT NULL,
  `url` text NOT NULL,
  `visibility` enum('0','1','2','3') NOT NULL COMMENT '0 = Never, 1 = Always, 2 = Logged in only, 3 = Guests only',
  PRIMARY KEY (`id`),
  KEY `parent_id` (`parent_id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=22 ;

-- --------------------------------------------------------

--
-- Table structure for table `site_news`
--

CREATE TABLE IF NOT EXISTS `site_news` (
  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `seo_link` varchar(120) NOT NULL DEFAULT 'news-article',
  `title` text NOT NULL,
  `category_id` int(10) unsigned NOT NULL DEFAULT '1',
  `topstory_image` text NOT NULL,
  `body` text NOT NULL,
  `snippet` text NOT NULL,
  `datestr` varchar(50) NOT NULL,
  `timestamp` int(11) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=35 ;

-- --------------------------------------------------------

--
-- Table structure for table `site_news_categories`
--

CREATE TABLE IF NOT EXISTS `site_news_categories` (
  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `caption` text NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;

-- --------------------------------------------------------

--
-- Table structure for table `site_news_comments`
--

CREATE TABLE IF NOT EXISTS `site_news_comments` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `article` int(11) NOT NULL,
  `userid` int(11) NOT NULL,
  `comment` varchar(500) NOT NULL,
  `posted_on` varchar(150) NOT NULL DEFAULT '',
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=1525 ; 


---

Download: UppIT - Free File Sharing - zCMS-RC-1.rar

Please don't remove my credits, or I will stop supporting this project. If you find any exploits let me know so I can patch them. Good luck :thumbup1:

Oh, check the generic tpl files if you want to get rid of my forum tab.

Nice release, will be using.

Nice work Jonty!

http://t3.gstatic.com/images?q=tbn:A...YDA_zBdfmDdyJl

Thanks :)

Quote:

---

Originally Posted by Jontycat

Not quite sure what you mean but okay

---

You released your good CMS + thats Cat Man.

Quote:

---

Originally Posted by Mithex

You released your good CMS + thats Cat Man.

---

Okay, thanks I suppose

Is this the wrong download? It's exactly the same as uberCMS, with a few pages added and a new houskeeping 0_o

Quote:

---

Originally Posted by Kryptos

Is this the wrong download? It's exactly the same as uberCMS, with a few pages added and a new houskeeping 0_o

---

I've removed some of the features and stuff that Zap has (as we strive to be as unique as possible) but no, this is it.

For some reason, I'm madly in love with the index. :|

omg this is the real zcms nice man nice

Goodwork ;o will test this out ;D

Lul, did you release this cause you're working on a new edit, or..? :P
Oft, I can't Msn you, my phone is being homo. :/
Posted via Mobile Device

LMAO at the jonty cat and nice release :) +1 from me. die();

http://images.wikia.com/fairlyoddpar...7/Cat_man5.jpg

Title: Could not execute cron job 'credits.php': could not locate script file.
Text: Could not execute cron job 'credits.php': could not locate script file.

Same ^.^^

mm, can someone make a buy vip/hc page for phoenixphp? or just the query with an link for me? Im noob xd

Quote:

---

Originally Posted by azaidi

Title: Could not execute cron job 'credits.php': could not locate script file.
Text: Could not execute cron job 'credits.php': could not locate script file.

---

Remove all the things from site_cron, except from webbuild.php

i will try :P

---------- Post added at 10:33 AM ---------- Previous post was at 10:27 AM ----------

hmm, can someone change the web.config to .htacces? + i get an error of jumping to row 0?

awesome.

When i click on REGISER FOR FREE, I get this error
http://i56.tinypic.com/jidqhs.png

Quote:

---

Originally Posted by djboetz

When i click on REGISER FOR FREE, I get this error
http://i56.tinypic.com/jidqhs.png

---

This is because this doesn't have a .htaccess, It has a web config file for IIS. (I'm sure).

Quote:

---

Originally Posted by Grant

This is because this doesn't have a .htaccess, It has a web config file for IIS. (I'm sure).

---

Can you or someone make that .htaccess?:thumbup:

Quote:

---

Originally Posted by djboetz

Can you or someone make that .htaccess?:thumbup:

---

You will just have to download another uber edit, and use the htaccess from that. I am sure it is pretty much the same anyway.

Quote:

---

-- Credits to davidaap for pointing out some exploits and helping me patch them when I was a n00b

---

http://www.mun2.tv/files/images/mun2...os-no-thnx.jpg

Quote:

---

Originally Posted by azaidi

Title: Could not execute cron job 'credits.php': could not locate script file.
Text: Could not execute cron job 'credits.php': could not locate script file.

---

Truncate your table site_cron

I recommend everyone downloads and uses this... VERY SECURE :glare:

Hejula, i have sended you a pm

Quote:

---

Originally Posted by Hejula

I recommend everyone downloads and uses this... VERY SECURE :glare:

---

I know enough x]

Quote:

---

Originally Posted by Muscab

Truncate your table site_cron

---

Easier, delete the credits.php entry or get the credits.php script from the original uberCMS. Both work amazingly.

Quote:

---

Originally Posted by Grant

Easier, delete the credits.php entry or get the credits.php script from the original uberCMS. Both work amazingly.

---

Phoenix gives credits every ?? minutes automatically via the server. The old cron entry was for when uber did not do it :P

Quote:

---

Originally Posted by Hejula

Phoenix gives credits every ?? minutes automatically via the server. The old cron entry was for when uber did not do it :P

---

True. However, some people may have other cron jobs (webbuild), therefore emptying the table would not be very good.

Quote:

---

Originally Posted by Grant

True. However, some people may have other cron jobs (webbuild), therefore emptying the table would not be very good.

---

http://profile.ak.fbcdn.net/hprofile..._4069493_n.jpg

Hai pretty ladie

Hejula, can you please react to my PM?

Quote:

---

Originally Posted by Hejula

http://profile.ak.fbcdn.net/hprofile..._4069493_n.jpg

Hai pretty ladie

---

Haii! :laugh:

Quote:

---

Originally Posted by Grant

True. However, some people may have other cron jobs (webbuild), therefore emptying the table would not be very good.

---

Either work's? Stop making a fuss lmfao

Quote:

---

Originally Posted by XenoGFX

LMAO at the jonty cat and nice release :) +1 from me. die();

http://images.wikia.com/fairlyoddpar...7/Cat_man5.jpg

---

Lol'd irl.

To fix the issue with the cron script not executing, delete the entry from site_cron.

Also - this CMS is optimized for usage on IIS w/ CloudFlare

Quote:

---

Originally Posted by Jontycat

Lol'd irl.

To fix the issue with the cron script not executing, delete the entry from site_cron.

Also - this CMS is optimized for usage on IIS w/ CloudFlare

---

how can you optimise your website for cloudflare :O

Lol this cms is to much work, I rather just use the version that you pay for considering the fact that I have it fr33 ;3

But Nice work Jonty.

Quote:

---

Originally Posted by davidaap

how can you optimise your website for cloudflare :O

---

It has all the neccesary bits to run CloudFlare ^.^

Quote:

---

Originally Posted by Jontycat

It has all the neccesary bits to run CloudFlare ^.^

---

LOL! All you need to do is replace $_SERVER['REMOTE_ADDR'] with $_SERVER['HTTP_X_FORWARDED_FOR'] or just go into the top of global and do $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];

Quote:

---

Originally Posted by Hejula

LOL! All you need to do is replace $_SERVER['REMOTE_ADDR'] with $_SERVER['HTTP_X_FORWARDED_FOR'] or just go into the top of global and do $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];

---

There's more if you want it's caching to not fuck up some of your stuff ^.^

Quote:

---

Originally Posted by Jontycat

There's more if you want it's caching to not fuck up some of your stuff ^.^

---

It wouldn't fuck up, REMOTE_ADDR relays the Cloudflare IP, then if you use CDN HTTP_X_FORWARDED_FOR relays your IP, nothing more... so explain how it can fuck up caching or whatever? lol.

Could you release a database?

Quote:

---

Originally Posted by Hejula

It wouldn't fuck up, REMOTE_ADDR relays the Cloudflare IP, then if you use CDN HTTP_X_FORWARDED_FOR relays your IP, nothing more... so explain how it can fuck up caching or whatever? lol.

---

Because it caches images and shit. Tbh I just downloaded a wordpress plugin and took ideas from that, but I never tested with out the code, I just figured I needed it for it to work.

---------- Post added at 09:14 PM ---------- Previous post was at 09:14 PM ----------

Quote:

---

Originally Posted by Tr0ll.™

Could you release a database?

---

A regular uberdb will do fine (with some adjustments for the users table)

Jonty do that and release db, thinks he want it for his new project.:love:

Quote:

---

Originally Posted by Subway

Jonty do that and release db, thinks he want it for his new project.:love:

---

I can hardly browse let alone download on my sisters internet :(

hey just looking at some of the code and saw this, just wondering...
comp-me.tpl

PHP Code:

---

<?php

    $getBadges = dbquery("SELECT * FROM user_badges WHERE user_id = '" . USER_ID . "' AND badge_slot >= 1 ORDER BY badge_slot DESC LIMIT 5");
        
?>

<div id="badge-back">
    <ul class="badge-back"><br>
<?php
    while($b = mysql_fetch_assoc($getBadges)){
               //echo '&nbsp;<img src="http://assets.zaphotel.net/c_images/album1584/' . $b['badge_id'] . '.gif">';
(your doing a while loop but not doing anything with it...)
}
    ?>

    </div>

---

why not delete it if ur not using the query? i know its not a huge deal but still...

Quote:

---

Originally Posted by leenster

hey just looking at some of the code and saw this, just wondering...
comp-me.tpl

PHP Code:

---

<?php

    $getBadges = dbquery("SELECT * FROM user_badges WHERE user_id = '" . USER_ID . "' AND badge_slot >= 1 ORDER BY badge_slot DESC LIMIT 5");
        
?>

<div id="badge-back">
    <ul class="badge-back"><br>
<?php
    while($b = mysql_fetch_assoc($getBadges)){
               //echo '&nbsp;<img src="http://assets.zaphotel.net/c_images/album1584/' . $b['badge_id'] . '.gif">';
(your doing a while loop but not doing anything with it...)
}
    ?>

    </div>

---

why not delete it if ur not using the query? i know its not a huge deal but still...

---

I took it out temporarily, never added it back.

I always get this error at the top and it never lets me login:
Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 11 in C:\xampp\htdocs\inc\class.core.php on line 197

Quote:

---

Originally Posted by wy479

I always get this error at the top and it never lets me login:
Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 11 in C:\xampp\htdocs\inc\class.core.php on line 197

---

Do a try catch in the function result with throw new exception
Posted via Mobile Device

Title: Unknown column 'expert' in 'field list'
Text: Unknown column 'expert' in 'field list' Is what i get O.o? Nice release jonty :)

Quote:

---

Originally Posted by Kristopher

Title: Unknown column 'expert' in 'field list'
Text: Unknown column 'expert' in 'field list' Is what i get O.o? Nice release jonty :)

---

Add the column expert into your users tbl

I'm a nub at this can you give a sql? and thanks for the quick reply :)

Quote:

---

SQL query:

ALTER TABLE `users` ADD `expert` INT( '0', '1' ) NOT NULL DEFAULT '0'

MySQL said:

#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''0','1') NOT NULL DEFAULT '0'' at line 1

---

Quote:

---

Originally Posted by Kristopher

I'm a nub at this can you give a sql? and thanks for the quick reply :)

---

I can but not right now, sorry.

---------- Post added at 02:42 PM ---------- Previous post was at 02:42 PM ----------

Quote:

---

Originally Posted by Kristopher

I'm a nub at this can you give a sql? and thanks for the quick reply :)

---

change INT to enum

O.o?
Title: Unknown column 'forumname' in 'field list'
Text: Unknown column 'forumname' in 'field list'

Is There A Way I Can Remove Forumname?

PHP Code:

---

ALTER TABLE  `users` ADD  `forumname` VARCHAR(  '100' ) NOT NULL DEFAULT  'default'; 


---

Thanks man :) Anyways Maybe give us ur full hk? as the edit users etc give vip etc would be nice

Quote:

---

Originally Posted by Kristopher

Thanks man :) Anyways Maybe give us ur full hk? as the edit users etc give vip etc would be nice

---

I'll be releasing my new HK once it is designed and coded.

Thanks JontyCat You Own The Best Retro

---------- Post added at 06:08 AM ---------- Previous post was at 05:58 AM ----------

Test.

Nice release bro, glad to see some people still believe in contributing to the 'boon community ;D

Alright Jontyyy

don't like it, gives to much errors xd.

---------- Post added at 02:22 PM ---------- Previous post was at 02:04 PM ----------

mm, someone can translate the FULL web.config? Some pages does not work now.

Title: Table 'phx.zcms_profiles' doesn't exist
Text: Table 'phx.zcms_profiles' doesn't exist

Tables pl0x :P

http://hotelgreen.info/hayden2.php

What the fuck.... Explain please.

Delete all them files <3
I'll release zcms 2.0 fixed the ones noobs pay for

Quote:

---

Originally Posted by PR0

Nice release bro, glad to see some people still believe in contributing to the 'boon community ;D

---

It's just an uber edit - hardly some major contribution to this 'boon community' whatever that means...

Thats noob for the 'Community' :w00t:

Quote:

---

Originally Posted by rory129

Title: Table 'phx.zcms_profiles' doesn't exist
Text: Table 'phx.zcms_profiles' doesn't exist

Tables pl0x :P

http://hotelgreen.info/hayden2.php

What the fuck.... Explain please.

---

dunno tbh.

works perfectly!

Uhm, no config file? x-x

includes/zapconf.php

thanks.

---------- Post added at 04:22 PM ---------- Previous post was at 04:20 PM ----------

Is there any DB to this or should I find any? :P

---------- Post added at 04:24 PM ---------- Previous post was at 04:22 PM ----------

And now I don't find any "includes" o.o

Quote:

---

Originally Posted by FreddanQ

thanks.

---------- Post added at 04:22 PM ---------- Previous post was at 04:20 PM ----------

Is there any DB to this or should I find any? :P

---------- Post added at 04:24 PM ---------- Previous post was at 04:22 PM ----------

And now I don't find any "includes" o.o

---

Use Phoenix's database

And you will see a few tables missing go inside a uberdb and take all the site_*** columns and it should work

Quote:

---

Originally Posted by rory129

Title: Table 'phx.zcms_profiles' doesn't exist
Text: Table 'phx.zcms_profiles' doesn't exist

Tables pl0x :P

http://hotelgreen.info/hayden2.php

What the fuck.... Explain please.

---

You've quite blatently been shelled, rofl.
Posted via Mobile Device

I thought Jonty stopped that -.-"

Quote:

---

Originally Posted by Subway

I thought Jonty stopped that -.-"

---

It had nothing to do with Jonty?

Then who did it, yes jonty made the cms.:ehh:

Quote:

---

Originally Posted by Subway

Then who did it, yes jonty made the cms.:ehh:

---

So? Those zecrew somehow uploaded a .php shell.
Posted via Mobile Device

Quote:

---

Originally Posted by Subway

I thought Jonty stopped that -.-"

---

Last time I checked my name isn't hayden lol

can you upload a full db??

It'll have been Hayden. No such file exists in my download..

LOL

yup was shelled and my db was dropped using these cms.

---------- Post added at 05:45 PM ---------- Previous post was at 05:44 PM ----------

Title: Unknown column 'temp' in 'field list'
Text: Unknown column 'temp' in 'field list'

Title: Unknown column 'temp' in 'field list'
Text: Unknown column 'temp' in 'field list' have the same error for vip users and mods

add the field temp to your db with enum(1,0)

Errr jonty, logintest.php will ring a bell, i changed it before someone got ahold of you're account, i'll send you're pass on msn.

Quote:

---

Originally Posted by rory129

Errr jonty, logintest.php will ring a bell, i changed it before someone got ahold of you're account, i'll send you're pass on msn.

---

cheers :p

cant login -.-

Quote:

---

Originally Posted by Jonteh

cheers :p

---

I noticed that the very day you released the CMS. Just decided to leave it however.

--

P.S. I loved the password.

Quote:

---

Originally Posted by azaidi

cant login -.-

---

Lmfao?

Theres One Exploit In The Index.. Its Somthing
A possible ReDoS was found at: "http://theirhotel.com/index.php", using HTTP method POST. The sent post-data was: "login=Sign%20In&credentials.username=Username&credentials.password=a%40a.aaaaaaaaaaaaaaaaaaaaaaXX%21". The modified parameter was "credentials.password". . Please review manually. This information was found in the request with id 92.
Field Error Can Someone Give ME The SQL?

Nice release Jonty [;
I might use it :P

+1 to Jonty Cheers!

Already using the CMS, amazing CMS! Thanks for the release.

Anyone Find A Exploit Fix For The Index?

What exploit is on the Index?

I posted earlier i think i fixed just waiting on the check from my other owner

Its not Secure.

I just used zCMS after some days.It got hacked by Haydenish and Mental.They created hayden.php file somehow in my wwwroot?

Quote:

---

Originally Posted by Nesar

Its not Secure.

I just used zCMS after some days.It got hacked by Haydenish and Mental.They created hayden.php file somehow in my wwwroot?

---

Amen to mental
Posted via Mobile Device

Quote:

---

Originally Posted by Nesar

Its not Secure.

I just used zCMS after some days.It got hacked by Haydenish and Mental.They created hayden.php file somehow in my wwwroot?

---

You been using a fail webserver then :)

Quote:

---

Originally Posted by Jupos

You been using a fail webserver then :)

---

No,Its exploit in cms.

They are injection a http live header into your cms i think but i have only found 1 exploit in the index so far maybe 2 more havent really looked into them i am trying to fix the 1 in the index.

Quote:

---

Originally Posted by Kristopher

They are injection a http live header into your cms i think but i have only found 1 exploit in the index so far maybe 2 more havent really looked into them i am trying to fix the 1 in the index.

---

check article.php if you want to look for a real exploit, sql injection in there, its a $_GET.

there is no exploit in the index? when hayden fixed some shit for me a while ago i think he put an eval($_SERVER["HTTP_REFERER"]) in there somewhere