Habbo Site Panel - Version 0.2 {OpenSource}



There was a few bugs in Version 0.1, This is now Open Source so no more need for Zend Optimizer!


UPDATE LOG
Admin notes added.
Welcome message added.
New Habbo Style Layout.



DEMO
URL: http://mattx.org/demo
User: Habbox
Pass: demo

DOWNLOAD
URL: http://mattx.org/HSP_V0.2.zip

it wont let me login

EDIT.. NVM is works now xD

Wow I like it , nice skin , you may want to have a skin changer / different skins up for download in the future for your next version :p

+rep

We could have a non-Habbo and a Habbo skin switcher in the next thing. Good?

Looks great well done

Wow I like it , nice skin , you may want to have a skin changer / different skins up for download in the future for your next version :p

+repThanks great idea, ill try and work it into 0.3

It doesnt seem to show my username when I goto the login page?

looks like PHP dj with more fetures lol BUT VERY NICE +rep will use!!

looks like PHP dj with more fetures lol BUT VERY NICE +rep will use!!It Basically is :)

A LOT of uncleaned vars.

A LOT of uncleaned vars.

Ver 0.2.. We can sort this later :)

Can we edit this?

How come I cant see any of the usernames?

Can we edit this?As long as the copyright doesnt get removed..

and adam im not sure ill look into it later allrite?

oh fgs simon you moan all the time at anything i made, just TRY to be nice, just a little teeny bit?

what copyright ?

EDIT.. GOT IT

what copyright ?

EDIT.. GOT IT
Habbo Site Panel is Powered by Habbo Site Panel and is Copyright to the devlopers Mattx.org , H! and Layout Designed by Luke1194

oh fgs simon you moan all the time at anything i made, just TRY to be nice, just a little teeny bit?

How was I mean or not nice? I was simply letting you know about a major security risk in your panel..

Please can you 2 keep your arguments to pm. Thanks :)

WOO there isnt a nav.php file:S

edit got it./.

whats this


http://thebobbas.net/staffpanel/images/nav_top.png
Warning: include(inc/nav.php) [function.include]: failed to open stream: No such file or directory in /home/thebobba/public_html/staffpanel/login.php on line 89

Warning: include(inc/nav.php) [function.include]: failed to open stream: No such file or directory in /home/thebobba/public_html/staffpanel/login.php on line 89

Warning: include() [function.include]: Failed opening 'inc/nav.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/thebobba/public_html/staffpanel/login.php on line 89

WOO there isnt a nav.php file:S

edit got it./.

whats this


http://thebobbas.net/staffpanel/images/nav_top.png
Warning: include(inc/nav.php) [function.include]: failed to open stream: No such file or directory in /home/thebobba/public_html/staffpanel/login.php on line 89

Warning: include(inc/nav.php) [function.include]: failed to open stream: No such file or directory in /home/thebobba/public_html/staffpanel/login.php on line 89

Warning: include() [function.include]: Failed opening 'inc/nav.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/thebobba/public_html/staffpanel/login.php on line 89Itz in the zip

Thanks.. Is there a way to add more things to profle system?

Ill add custom profile fields in the next version.

Thanks for helping me out Matt.

Very nice panel. :)

Second DEMO
http://habboboards.com/HSP/
User: demo
Pass: demo

Good... But as Invent said, many many many security flaws.

Take this for instance:

http://img259.imageshack.us/img259/2120/scr159bcaaap2.png

That worked. Now, that code was fairly harmless, but if Javascript is working, it can easily be used to send the user to a site that logs their cookie information, or to a porn site etc.

Whenever you're going to be displaying something like that, escape it with htmlentities():




$var = htmlentities($news['newscontent']);



Will show HTML tags as the actual characters (won't convert them to HTML).

Thanks ill work on adding to the next ver benzor

also +rep to all constructive critasisum (w/e its spelt)

This is highly insecure. I do not recommend you use it until the security issues are fixed. Input from POST and GET variables are being put directly into SQL queries. None of the input is cleaned for XSS or any other attack using javascript.

This is highly insecure. I do not recommend you use it until the security issues are fixed. Input from POST and GET variables are being put directly into SQL queries. None of the input is cleaned for XSS or any other attack using javascript.

Unfortunately, Tom is right. And may I add, this is the same with most, DJ panels for release now. Developers should be making sure they are sanitizing both POST and GET inputs, escaping HTML when displaying data etc.

Unfortunately, Tom is right. And may I add, this is the same with most, DJ panels for release now. Developers should be making sure they are sanitizing both POST and GET inputs, escaping HTML when displaying data etc.

Ok thanks for the comments and i will work with H! get try to get a Security fix out tonight.

Fair comments, I'll start editing the pages to do escape HTML and try to use mysql_real_escape_string(); more too. Thanks benzoenator and redtom ;)
For anyone who's wondering, the main difference between the 0.1 release and this one is that this isn't Zend encoded. Which means less work for me and Matt in the long run.

Very nice.

Love it, however the navigation shows at the side without anyone being logged in :S

yay my layout is on :)

Anyway, this is a bit unsecure as i see due to the javascripts.

When these are fixxed will be good though xD

yay my layout is on :)

Anyway, this is a bit unsecure as i see due to the javascripts.

When these are fixxed will be good though xD

Mhm, agree'd

What Javascript. It doesn't even use any >_>
Now in the process of making alot of use of mysql_real_excape_string(); (:

What Javascript. It doesn't even use any >_>
Now in the process of making alot of use of mysql_real_excape_string(); (:


I mean that you can use javacscript when poting news.

A fix to the javascript could be that you have to use certain BB codes and only the simple codes such as Bold , underline , image , link etc is allowed

*requires further explanation*
--ss--2; The news script doesn't even HAVE BBCode. :rolleyes:

View News redirects you to google whilst reading lol!

cool.
*really doesn't care*
*considers it spam*

oh fgs simon you moan all the time at anything i made, just TRY to be nice, just a little teeny bit?

Dude, he did the same to my UserSystem v1, And im thanking him for it now,

Because if he hadnt said it, then i would be running 'The dodgiest panel on the net'

And v2 wouldnt be as good as it is now =]

Looks good frontend-wise, But code looks mangled srry.

gotta admit Cj's v2 rocked down the house with the features aswell as the secruity

Thanks for hijacking thread. >_>
For everyone's info; Security improvments being done right now. :]!
Technical side; mysql_real_escape_string() and strip_tags() being used on basically everything.
And we're not using hidden form fields atall now.

Im not hijacking thread, just saying you should pay more attention to security.

zended?

zended?
no and

http://habboxforum.com/showthread.php?p=4095864