Register for your free account! | Forgot your password?

You last visited: Today at 08:07

  • Please register to post and access all features, it's quick, easy and FREE!

 

Metin2CMS v2.0

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Mar 2013
Posts: 22
Received Thanks: 6
Metin2CMS v2.8

You must register and activate your account in order to view images.
Author: Ionuț ( me )
Size: 3.54 MB
Version: v2.8
Type: Open-Source

Features: Modern design with elements in bootstrap (v4 alpha 3), admin panel (currently in beta), member panel (currently basic systems), update system, registration, general settings in the admin panel, offline system (if the server is offline, notifications will be displayed, also the last copy of the top site), database of news is sqlite, settings files are in json.
Language: English & Romanian


Preview:


Download:
Documentation:

Install:
Just edit config.php with your datas.

CMS is not completely. It will be updated.


I expect criticism / opinions / advice constructive. To report an error:



IonutPop is offline  
Thanks
1 User
Old   #2
 
elite*gold: 0
The Black Market: 105/0/0
Join Date: May 2016
Posts: 8,568
Received Thanks: 1,477
Quote:
Originally Posted by IonutPop View Post
You must register and activate your account in order to view images.
Author: Ionuț ( me )
Size: 3.54 MB
Version: v2.1
Type: Open-Source

Features: Modern design with elements in bootstrap (v4 alpha 3), admin panel (currently in beta), member panel (currently basic systems), update system, registration, general settings in the admin panel, offline system (if the server is offline, notifications will be displayed, also the last copy of the top site), database of news is sqlite, settings files are in json.
Language: English & Romanian


Preview:


Download:

Install:
Just edit config.php with your datas.

CMS is not completely. It will be updated.

I expect criticism / opinions / advice constructive. To report an error:
For the Pictures You need more Activity or Posts to show Pictures.


悪地城 is online now  
Old   #3
 
elite*gold: 586
Join Date: Oct 2009
Posts: 111
Received Thanks: 26
Gj guy !
lordord is offline  
Old   #4
 
elite*gold: 0
Join Date: Dec 2016
Posts: 1
Received Thanks: 0
Thank you! Links working!


Lunico is offline  
Old   #5
 
elite*gold: 0
Join Date: Mar 2013
Posts: 22
Received Thanks: 6
#update

Fixed bugs, problem with delete download links. Added vote4coins.
IonutPop is offline  
Old   #6
 
elite*gold: 0
Join Date: Apr 2015
Posts: 431
Received Thanks: 357
Hi, maybe i found an exploit:
if $_SESSION['captcha_email']['code'] is null so this could be an exploit

Look at...

Metin2CMS/include/functions/email.php:

Sending: [email protected]&captcha

PHP Code:
$myEmail getAccountEmail($_SESSION['id']);
$message 0;
if (isset(
$_GET['code']) && !empty($_GET['code']) && strlen($_GET['code']) == 32) {
    if (
check_email_token($myEmail$_GET['code'])) {
        
updateNewEmail();
        
update_email_token($_SESSION['id'], '');
        
header("Location: " $site_url "user/administration");
        die();
    } else {
        
$message 5;
    }
} else if (isset(
$_POST['email']) && isset($_POST['captcha'])) {
    if (
$_POST['captcha'] == $_SESSION['captcha_email']['code']) {
        
$email $_POST['email'];

        if (
isValidEmail($email)) {
            if (!
$database->checkUserEmail($email)) {
                
$code generateSocialID(32);
                
update_email_token($_SESSION['id'], $code);
                
update_new_email($_SESSION['id'], $email);
                
$message 4;
            } else 
$message 1;

        } else 
$message 2;

    } else 
$message 3;

Results:

PHP Code:
if (isset($_GET['code']) && !empty($_GET['code']) && strlen($_GET['code']) == 32// false
if (isset($_POST['email']) && isset($_POST['captcha'])) // true
if ($_POST['captcha'] == $_SESSION['captcha_email']['code']) // true
if (isValidEmail($email)) // true
if (!$database->checkUserEmail($email)) // true if there's no email like this
// -> $message = 4; 

Metin2CMS/pages/email.php:

PHP Code:
if (isset($_POST['email']) && isset($_POST['captcha'])) {
    if (
$message == 4) {
        print 
'<div class="alert alert-info alert-dismissible fade in" role="alert">
                              <button type="button" class="close" data-dismiss="alert" aria-label="Close">
                                <span aria-hidden="true">&times;</span>
                              </button>'
;
        print 
$lang['sended-link'];
        print 
'</div>';

        
$code '<br><br><a href="' $site_url 'user/email/' $code '" target="_blank" style="display: inline-block; color: #ffffff; background-color: #3498db; border: solid 1px #3498db; border-radius: 5px; box-sizing: border-box; cursor: pointer; text-decoration: none; font-size: 14px; font-weight: bold; margin: 0; padding: 12px 25px; text-transform: capitalize; border-color: #3498db;">' $lang['change-email'] . '</a>';


        
$alt_message $lang['change-email'];
        
$subject $lang['change-email'];
        
$sendName getAccountName($_SESSION['id']);
        
$sendEmail $myEmail;

        
$html_mail sendCode($_POST['email'], $code5);
        include 
'include/functions/sendEmail.php';
    }
// ... 
Results:

PHP Code:
if (isset($_POST['email']) && isset($_POST['captcha'])) // true
if ($message == 4// true 
So, i could send this mail to me:


and retrieve the code/password.

Type of attack: https://en.wikipedia.org/wiki/Cross-...equest_forgery

If you need more information about this glitch/exploit, help in finding/fixing or even adding new stuff, add me on skype: mrx.epvp :P actually i like your project ^^

But there are a lot of missused php functions and a bad practice coding style.

edit:

Something else, please do not print out validated emails (validated with php's filter validation) directly

Metin2CMS/checkusername.php

Sending: "<script>alert(document.cookie)</script>"@test.test

PHP Code:
if (isset($_POST['email'])) {
    if (
isValidEmail($_POST['email'])) {
    
// filter_var('"<script>alert(document.cookie)</script>"@test.test', FILTER_VALIDATE_EMAIL)
        
print $database->checkUserEmail($_POST['email']);
    } else print 
0;
} else print 
0
#Metho is offline  
Old   #7
 
elite*gold: 0
Join Date: Mar 2013
Posts: 22
Received Thanks: 6
Quote:
Originally Posted by #Metho View Post
Hi, maybe i found an exploit:
if $_SESSION['captcha_email']['code'] is null so this could be an exploit

Look at...

Metin2CMS/include/functions/email.php:

Sending: [email protected]&captcha

PHP Code:
$myEmail getAccountEmail($_SESSION['id']);
$message 0;
if (isset(
$_GET['code']) && !empty($_GET['code']) && strlen($_GET['code']) == 32) {
    if (
check_email_token($myEmail$_GET['code'])) {
        
updateNewEmail();
        
update_email_token($_SESSION['id'], '');
        
header("Location: " $site_url "user/administration");
        die();
    } else {
        
$message 5;
    }
} else if (isset(
$_POST['email']) && isset($_POST['captcha'])) {
    if (
$_POST['captcha'] == $_SESSION['captcha_email']['code']) {
        
$email $_POST['email'];

        if (
isValidEmail($email)) {
            if (!
$database->checkUserEmail($email)) {
                
$code generateSocialID(32);
                
update_email_token($_SESSION['id'], $code);
                
update_new_email($_SESSION['id'], $email);
                
$message 4;
            } else 
$message 1;

        } else 
$message 2;

    } else 
$message 3;

Results:

PHP Code:
if (isset($_GET['code']) && !empty($_GET['code']) && strlen($_GET['code']) == 32// false
if (isset($_POST['email']) && isset($_POST['captcha'])) // true
if ($_POST['captcha'] == $_SESSION['captcha_email']['code']) // true
if (isValidEmail($email)) // true
if (!$database->checkUserEmail($email)) // true if there's no email like this
// -> $message = 4; 

Metin2CMS/pages/email.php:

PHP Code:
if (isset($_POST['email']) && isset($_POST['captcha'])) {
    if (
$message == 4) {
        print 
'<div class="alert alert-info alert-dismissible fade in" role="alert">
                              <button type="button" class="close" data-dismiss="alert" aria-label="Close">
                                <span aria-hidden="true">&times;</span>
                              </button>'
;
        print 
$lang['sended-link'];
        print 
'</div>';

        
$code '<br><br><a href="' $site_url 'user/email/' $code '" target="_blank" style="display: inline-block; color: #ffffff; background-color: #3498db; border: solid 1px #3498db; border-radius: 5px; box-sizing: border-box; cursor: pointer; text-decoration: none; font-size: 14px; font-weight: bold; margin: 0; padding: 12px 25px; text-transform: capitalize; border-color: #3498db;">' $lang['change-email'] . '</a>';


        
$alt_message $lang['change-email'];
        
$subject $lang['change-email'];
        
$sendName getAccountName($_SESSION['id']);
        
$sendEmail $myEmail;

        
$html_mail sendCode($_POST['email'], $code5);
        include 
'include/functions/sendEmail.php';
    }
// ... 
Results:

PHP Code:
if (isset($_POST['email']) && isset($_POST['captcha'])) // true
if ($message == 4// true 
So, i could send this mail to me:


and retrieve the code/password.

Type of attack: https://en.wikipedia.org/wiki/Cross-...equest_forgery

If you need more information about this glitch/exploit, help in finding/fixing or even adding new stuff, add me on skype: mrx.epvp :P actually i like your project ^^

But there are a lot of missused php functions and a bad practice coding style.

edit:

Something else, please do not print out validated emails (validated with php's filter validation) directly

Metin2CMS/checkusername.php

Sending: "<script>alert(document.cookie)</script>"@test.test

PHP Code:
if (isset($_POST['email'])) {
    if (
isValidEmail($_POST['email'])) {
    
// filter_var('"<script>alert(document.cookie)</script>"@test.test', FILTER_VALIDATE_EMAIL)
        
print $database->checkUserEmail($_POST['email']);
    } else print 
0;
} else print 
0
thank you warned me, i made an update to fix this problem
IonutPop is offline  
Old   #8
 
elite*gold: 0
Join Date: Mar 2013
Posts: 22
Received Thanks: 6
#update
Added player management, fixed some problems with vote4coins, added functions for modules and themes, added statistics.
IonutPop is offline  
Old   #9
 
elite*gold: 0
Join Date: Jun 2017
Posts: 8
Received Thanks: 4
looks like hen cms to me
cant find any modern coding
y'all should also stop calling it cms
it's not even close to a cms
​​lua god is offline  
Old   #10

 
elite*gold: 83
Join Date: Nov 2013
Posts: 2,870
Received Thanks: 2,693
That design looks familiar ...
You must register and activate your account in order to view images.
rollback is offline  
Thanks
1 User
Old   #11
 
elite*gold: 0
Join Date: Mar 2013
Posts: 22
Received Thanks: 6
Quote:
Originally Posted by ​​lua *** View Post
looks like hen cms to me
cant find any modern coding
y'all should also stop calling it cms
it's not even close to a cms
Can't find any modern coding? )))
CMS = content management system
As long as the administrator has the tools necessary for rapid editing, can be considered a CMS.

Quote:
Originally Posted by rollback View Post
That design looks familiar ...
You must register and activate your account in order to view images.
Codes matter, not design. For this purpose, I added the latest system for themes.
IonutPop is offline  
Old   #12

 
elite*gold: 83
Join Date: Nov 2013
Posts: 2,870
Received Thanks: 2,693
Quote:
Originally Posted by IonutPop View Post
CMS = content management system
As long as the administrator has the tools necessary for rapid editing, can be considered a CMS.
Yes, but editing Social-Media-Links is all I can see.
Where can I add / edit the CONTENT?
rollback is offline  
Old   #13
 
elite*gold: 0
Join Date: Mar 2013
Posts: 22
Received Thanks: 6
Quote:
Originally Posted by rollback View Post
Yes, but editing Social-Media-Links is all I can see.
Where can I add / edit the CONTENT?
You can add news, you can activate some functions in admin panel.
If it was something premium, I can accept the hate. But as something is distributed for free, I do not see why there should be hates.
IonutPop is offline  
Thanks
3 Users
Old   #14
 
elite*gold: 0
Join Date: Dec 2014
Posts: 845
Received Thanks: 360
Quote:
Originally Posted by IonutPop View Post
You can add news, you can activate some functions in admin panel.
If it was something premium, I can accept the hate. But as something is distributed for free, I do not see why there should be hates.
Dont take him serious, maybe its just not his day. Complaining about free work isn't rare in this Community.
BizepsSupportAccount is offline  
Old   #15

 
elite*gold: 83
Join Date: Nov 2013
Posts: 2,870
Received Thanks: 2,693
Quote:
Originally Posted by IonutPop View Post
You can add news, you can activate some functions in admin panel.
If it was something premium, I can accept the hate. But as something is distributed for free, I do not see why there should be hates.
I didn't want to hate and I apologize if it looked like I wanted to. I just couldn't see anything else than editing the social media links in your screens while you considered your release as a CMS.


rollback is offline  
Reply

Tags
cms, homepage, hp, metin2cms, metin2cms.cf



« Previous Thread | Next Thread »

Similar Threads
[Online Tool] Metin2CMS ItemsDB
Hello! This is a site where you can find an interactive database objects in Metin2. I know there are already so, but this list contains the list of...
4 Replies - Metin2 Guides & Templates



All times are GMT +2. The time now is 08:07.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy
Copyright ©2017 elitepvpers All Rights Reserved.