phpHaze
Website Content Management System
Welcome to phpHaze. Our website is currently under heavy development. Please bare with us while we work through this progress. We plan to have a fully functional web presence ready for you as soon as possible!
Follow our progress at our blog.
Features
All admin areas have a built in search module and user friendly GUI to make navigation and management simple and powerful.
[M] = this feature can be disabled/enabled by the system administrator with access to the secure config file below the web root.
Content
[M] image management: upload, rename and delete images in the images directory, as well as other select directories required for other modules
[M] link directory: add edit and delete outbound links for the directory, category management and organization is included.
[M] media player: full featured media player management for the built in media player. add edit and delete media from the playlist to dynamically change the player on the site. (flv and etc are supported through slight modification)
navigation: manage the site links for the layout here. includes control for the navigation panel (side navigation), top-subheader navigation, and footer navigation (very bottom of site).
[M] news/blogging: very similar to news or blogging, this full featured tool allows the user to post news or blogs to the front page of the site.
[M] pages: add edit and delete pages for the website here. includes WYSIWYG for HTML (toggleable).
panels: manage side, top or bottom panels here. this is usually used for small modules like the login box and user control area, or the media player. users can add new panels of their own containing small html objects if they wish (like copy/paste code from youtube and etc)
Settings
[M] contact form: manage various settings for the website email contact form. including custom fields, subjects, etc.
image verification: tweak the settings for the way image verification (Aka Captcha) works on the website (registration form, contact, etc)
mail: dont have a server with sendmail installed? add add smtp server's details here to use SMTP rather than sendmail
[M] private messages: manage the folder limits and other various features for the private message system
[M] news: tweak the settings for the news and blogging system
registration: toggle many features on and off, such as registrations, email verification, admin activation, etc
security: manage the various security features of the website; examples include the IP blacklist, separate admin sessions for the admin panel, HTTPS support (choose which pages to secure), PHP error logging, and encrypted login sessions
system: change the name of your site, URL, and site email address. you can also create multiple language packs, and choose the sites language here. there are a few other miscellanous settings than can be toggled here as well including the time zone.
theme: change the sites browser title, the theme itself (multiple themes are supported), the meta description and keywords, the footer and subfooter text, etc.
user: change user privileges here, include toggles for password reset, username change, account delete, login, language and theme change. also includes failed login block which can be tweaked, and the use of avatars and their limits.
System
[M] backup: backup the site database for a personal copy that can be restored by a system administrator.
[M] IP blacklist: add an IP number here to prevent a user under this address from using the website
[M] emoticons: manage emoticons here (example: :) is turned into an image representing that icon). these are used in comments, shoutbox, etc.
[M] file manager: manage non-image files (upload, rename and delete) for various modules here. includes a "miscellaneous" bin directory, as well as management for the media player files and non-image icons (.ico).
levels: manage the system user levels here. important system levels like system administrator and user (logged in) can not be deleted, but new levels can be added in between and can be assigned specific admin areas to have access to if required.
[M] logs: when certain events happen ,like a user logs in, creates an admin session, requests a new password, fails when logging in, etc; the system logs this in the database. you can view these logs and clear them here.
maintenance: manage the use of maintenance mode (prevents nonadmins from logging in, and keeps the site inaccessible except for a front page with a custom message). you can also do some system maintenance here at the click of a button, such as: restore all of the system default settings, optimize the database overhead, clear old logs, and flush temporary tables.
[M] sessions: manage live sessions here. you cannot create them of course, but you can kill a users session, such as kicking out another administrator from using the admin panel.
users: add, edit and delete users here. also includes ban management, and an import/export utility based on CSV for the mass-creation of users.
Why phpHaze 2
But why phpHaze v2? I thought phpHaze v1 (1.59.2, to be exact) was the most secure and everything was fine and dandy as-is?
To make a long story short, you are wrong. Even though phpHaze v1 is more secure than 99% of the CMS applications out there, phpHaze v2 is still more secure. phpHaze v2 is organized, designed, and laid out better. With the common developer in mind, we bring you phpHaze v2. Yes, we know, v1 was still beta. This one is certainly alpha.
1. Even Stronger Security!
Introducing unique-key 64-bit encryption:
- phpHaze v1 uses unencrypted cookies for the base of its user login system. If md5 can be decrypted, cookies can be hacked and thus the security of your site is compromised.
- phpHaze v2 uses not just encrypted cookies, but un-decryptable cookies because it attaches a unique-key to each encrypted string. The string is first encrypted using base 64-bit technology, and then the unique-key is encrypted, and attached to it. An attacker must know the unique key in its unencrypted form (stored safely in a non-public directory on your server, outside the HTML root) to decrypt any data by phpHaze v2. Only if an attacker gains access directly to your FTP can he compromise your secure encryption with the unique key. Otherwise there is no way to retrieve it, inside or outside of the system.
Note: if your server does not support the MCrypt module, then unique-key encryption will not function properly. Instead, phpHaze will encrypt data using basic 64-bit encryption which can be reversed (decrypted) by an attacker. However even so, the password is still encrypted using unique key, which is NOT dependant on MCrypt, so it is still highly secure, just could be more secure. See later, "Changed password hashing from md5...". Note that all Heritage servers by default are compiled with MCrypt enabled, so this will not be an issue.
- As mentioned earlier, another new feature of the security is the moving of the main config file to a directory outside the HTML root to make it inaccessible from the web, the script, only by FTP.
- All requirements for Register Globals to be enabled have been removed, thus removing the listener from the core; thus making phpHaze that much faster.
- Changed password hashing from md5 (technically double-md5) to random salt + sha1. Enjoy, attackers! If I hear even one rumor, even if probably false, that sha1 was broken, I will double the encryption there as well, even though the random salt keeps it secure as a single layer. You heard right: I will double encrypt sha1 + use the random salt if I really have to. Test me.
- Updated imgSafe function to account for php scripts; scanning uploaded images through the system now detects for a much wider array of possible exploits using images, including but not limited to PHP scripts of any type.
- Fixed array bug in isNum function; could have posed a minor security risk, possibly? Not too serious, but a security fix none the less as isNum is primarily used for security reasons, on various numeric $_GET requests in the system.
- phpHaze v1 allows you to edit the account data for the primary system administrator, "user_id = '1'", the first account ever created (from the admin panel). phpHaze v2 disables this feature in its entirety, the first system admin won't even be returned as a possibility, in ANY user-admin result. Only the first user themselves can update their data, via the personal account page. You'll never see their result in your new admin area.
- encrypted messaging
2. User Level management
- No more static user levels (member, mod, admin, etc). They are now dynamic, served by your admin panel with a new area to manage them totally. System-based levels (the old ones) are non-removable and can only have their name and rights edited at any given time. This is to prevent possible fatal issues should you accidentally remove or edit the wrong piece of data for a system-required level.
- However, you can add as many new levels as you like. We are using a large number, 99999, to base the access from; technically you have about 80,000~ possible user levels between default member and moderator. You can also add about 10,000~ between the various administrator ranks.
- Nothing is infinite, not even user accounts (you could technically only have a current maximum number of accounts, or accounts ever created, of assumingly 999,999,999,999,999. It stops there, as an example of how a system like this really works. Even with PHP-Fusion, which phpHaze is a direct spin-off of, or a spawn of, if you will -- it is not unlimited or infinite. With PHP-Fusion, it is actually alot less than a 15 digit number, it used to be 5, but I think v7 of PHP-Fusion upped it to 8 as they started to hit maxes on big sites. phpHaze basically doubles this, for further ensurance that you won't hit these limits unless you actually attempt to. Note in PHP-Fusion there is NO user level management what so ever.
3. Better Theme System
- The new theme system is more flexible, giving you control over <html> to </html> of your sites output; with the obvious exception of complex administration areas. As a whole, the theme system has been rewritten totally, and hopefully will not need future adjustments as updating custom themes with an upgrade package can be a complex and non-universal process such as system updates. Inconsistencies can occur, easily. Lets try to get it right the first time, with phpHaze v2 (starting to see why we had to go to version 2, rather than 1.6? 1.6 simply would not support this system framework, at all)
4. Better User management
- The new advanced user management area is loaded with features, to name a few:
-- Pagination: splits user results into multiple pages
-- User search: ability to filter user results by partial/full -- username/email/IP
-- Mass user deletion using checkboxes
-- Import Users: you can now import a spreadsheet (CSV) of user data. This allows you to add multiple accounts at once. Useful for large corporations with data already on file prior to installing phpHaze. As a direct result, you can also export existing accounts (CSV). phpHaze knows what to do when adding accounts with pre-encrypted passwords, or plain text passwords (differed by import and then export/delete/import). Yes, clever wasn't it?
- Not to mention you can also now disable the requirement of administrator activation for new accounts, which gives you flexibility over a private or public style website.
5. Localization
- phpHaze is now mostly (99%) controlled by language packs (where in v1, the percentage was roughly... 2%?). It only comes by default with the English language pack, you are free to create your own and install them at your own leisure. However, modifying any other phpHaze code is against copyright law. There may be minor parts to the language pack are static, not controlled in the packs themselves. We will address these during service releases, as some of the features in phpHaze cannot be localized as they are far to dynamic. Later service releases will address this issue and a compromise will be made in the programming to make it possible; at this point however, there is not even a demand for anything besides English, we are just preparing it for more languages in the future, so theres no real rush to update the language pack past the current point unless absolutely necessary.
6. Even more portability
- Multiple settings sets: You can save your current settings as a backup set, and you can use this to have multiple installations of this system with different languages or themes; which utilize the other settings sets. You can also use them to simply restore sets of settings, which could fix issues you may have when changing your settings; should you choose to create a separate copy when you save them.
7. Better "Help Logging In"
- Did away with the forgot password feature totally. phpHaze now uses a more secure version to reset your password via an encrypted key sent via e-mail to your accounts address on file.
- Added "Forgot Username" feature that will send current username text to account email; not as sensitive as password, so it can be sent (not reset like password)
- Moved forgot password to need help logging in page, replaced forgot password on login box with Help. More straightforward.
8. Module driven
- A lot of the stock features in phpHaze are modular. Meaning you can disable and enable them at any time, which will in turn let the system know you want anything related to this module disabled elsewhere as well. Its mighty useful, trust me.
9. System organization and heirarchy
- The system itself and folder structure are just organized better, overall. I rewrote and redid EVERYTHING, literally; character for character file for file. Moved files around, etc. It makes it easier for fellow developers to find what they are looking for, and also to apply updates with as minimal files as possible.
10. It's faster.
- Made use of caching to store the latest haze version; prevents need for fetching on every admin page reload, and only on the index page at that. Admin panel now runs many many times faster than in the past.
- Removed all unnecessary scripting that may slow system noticably (without account for size of database)
- On the templating/theming side of things, I've attempted to minimize javascript and inline CSS as much as possible. 99% of scripting and CSS styling happens in the theme itself, not the system like in the past.
11. Other stuff
- Updated all classes used by phpHaze (phpmailer, httpdownload, smtp, etc) to their latest versions
12. Coming Soon
- Virtual Cronjobs: instruct phpHaze to run certain scripts on certain days & times, like the cronjob manager in cPanel.
phpHaze - Website Content Management System
Copyright © 2008 - 20011 Justin Love (author)
Developed for sole use by elitix IT
This is paid client software. Redestribution or modification of this software in anyway is against copyright law.
|
