Feathur Launch (VPS Control Panel => 0.6.0.1 => Free For Private Use)

BlueVM · Nov 8, 2013

@Flapadar - The way the system works is based on email. The username is just there to make the user feel better. It doesn't impact administrators in anyway and the system doesn't use the username field for anything (at all).

If you enter someone elses email into the forgot password box their password remains the same. It only changes if they click the link and proceed to enter a new password.

Also you entering their email into the login box over and over will only ban your IP not theirs from login.

RiotSecurity · Nov 8, 2013

Ogawd.

What the fuck did I just read....

https://github.com/BlueVM/Feathur/blob/develop/feathur/admin.php

Oh my god. You're serious, right?

https://github.com/BlueVM/Feathur/blob/develop/feathur/admin/createvps.php

Points:

1) Why are you using a shitty loader?

2) Why not use PHP's default auto loader?

[...]

$sType = $_GET['type'];

$sTemplates = $database->CachedQuery("SELECT * FROM templates WHERE `type` = :Type", array('Type' => $sType));

oh god.

BlueVM · Nov 8, 2013

1. I suppose you're right on the autoloader. Perhaps I'll update the code to support that.

2. I don't see the particular issue with that line of code. It's admin side, if you have an admin pulling things from the database they shouldn't be, you have more issues than code itself can solve.

--

Bottom line: It's your preference for how the program is coded, there's nothing particularly wrong with the code.

matt[scrdspd] · Nov 8, 2013

Always nice to see new projects out there. Congrats on the launch @BlueVM.

sundaymouse · Nov 8, 2013

The master server installed as according to the tutorial in github goes out to be 0.5.6 version. I also found that add server function doesn't seem to work, as the page white out after you press the submission.

BlueVM · Nov 8, 2013

@sundaymouse - Mind if I take a look at your install? I haven't seen that before (our copy has no issues with adding servers) so I'd like to see what causes it...

sundaymouse · Nov 9, 2013

BlueVM said:
@sundaymouse - Mind if I take a look at your install? I haven't seen that before (our copy has no issues with adding servers) so I'd like to see what causes it...

I installed the master in your $1/mo 256MB OVZ. And unfortunately I have already reloaded the OS. Never mind, probably the problem with low memory and phpcgi dying out. I will try the installation on a larger RAM later.

BlueVM · Nov 10, 2013

@sundaymouse - Alright let us know if you need anything...

libro22 · Nov 12, 2013

Francisco said:
Well, if you use a proper MVC then the database would be a library/class that would be extended into the core controller and then can be called at any point.

A lot of the exploits in WHMCS are because they use global variables and force register_globals on. What register_globals does is you could set a variable in the URL and it'd set a variable of the same name in your code, allowing you to inject things like a beast.

Justin wasn't kidding when he said there was 30k+ lines of code. I've not had a chance to audit very much of it but it would have been nice if he had used a more advanced MVC.

Most of the bigger MVC's have validation classes and things like that to make it so the 19 depth if statements don't happen. You feed it a few function calls and it's game.

I think the biggest issue I've seen so far is that they do raw SQL queries in the code. Now, they're using PDO's bindings which means SQL injects are pretty much not going to happen, but because they aren't pushing things into a Model, a column name change means they have to update every file that calls said column, instead of just that single file and a couple templates.

Francisco

Is extending a class better than using a 'registry' class? I'm quite new with MVC.

perennate · Nov 20, 2013

Feathur is now free software, under AGPL.

http://lowendtalk.com/discussion/comment/384333/#Comment_384333

peterw · Nov 21, 2013

Francisco said:
I think the biggest issue I've seen so far is that they do raw SQL queries in the code. Now, they're using PDO's bindings which means SQL injects are pretty much not going to happen, but because they aren't pushing things into a Model, a column name change means they have to update every file that calls said column, instead of just that single file and a couple templates.

Database models are very important and should be used in every project, because schema upgrade and validation can be done automatically.

Feathur Launch (VPS Control Panel => 0.6.0.1 => Free For Private Use)

BlueVM

New Member

RiotSecurity

New Member

BlueVM

New Member

matt[scrdspd]

SecuredSpeed

sundaymouse

New Member

BlueVM

New Member

sundaymouse

New Member

BlueVM

New Member

libro22

Member

perennate

New Member

peterw

New Member