cimnine's Tech-Blog

Fancy stuff about my technical life

What this all about is....

Simple Blogg

posted by cimnine @ 3:36am, Monday 29 September 2008.

Hy out there...

Are u bothered about everyone uses WordPressω Well, it's nice, but not for me. Far too much features. So I searched for a simple, easy-to-use and fast-setted-up blog software. As often, I've gone to sf.net to search my piece of software.

I highly recommend to make use of filters. And the most important filter is: "Has files". So you won't get any unfinished projects.

I also highly recommend to use only open-source projects, so that you are free to change code as you need.

Setup of eggBlogg was very easy. (Goto eggblog.net) Indeed, you have to some stuff to secure your server. For example turn of DirectoryListing via htaccess. Or only allow access to the files needed accessd from the outside. I'm going to do this via a .htaccess. (I use apache2.) (I have not done this now.)

And, maybe, you wanne setup an vhost for your blog. http://blog.you.info looks more professional that http://you.info/fancyblogg, doesn't itω

So, check it out.

Regards,
Chris

 

Update 1:

In case of security these developers definitly have to learn... They store unencrypted passwords in the Database, for example. So I fixed some issues:

In eggblogg/_lib/user.php, do:

around line 194: replace content of else statement (everything between { and } ) with $output.=" <p>".$lang['forgot_ok'].".</p> ";
this makes shure, that no one can brute-force who your users are.

Then the password-in-db-thing:

change around 165
$sql="INSERT INTO eb_users SET user_flag=1,user_name="".htmlentities($_POST['name'],ENT_QUOTES)
."",user_email="".htmlentities($_POST['email'],ENT_QUOTES)."",user_password="".htmlentities($_POST['password'],ENT_QUOTES).""";
to
$sql="INSERT INTO eb_users SET user_flag=1,user_name="".htmlentities($_POST['name'],ENT_QUOTES)
."",user_email="".htmlentities($_POST['email'],ENT_QUOTES)."",user_password=md5("".htmlentities($_POST['password'],ENT_QUOTES)."")";

change that on line 25
user_password="".$password.""";
to
user_password=md5("".$password."")";

and that on line 22
if($key==0) $password=md5($password);
else $password=htmlentities($password,ENT_QUOTES);
to
if($key!=0) $password=htmlentities($password,ENT_QUOTES);

Then you have also to change admin.php:

Change the lines 160/161
"'".str_replace("'","'",$config["email"])."','".
str_replace("'","'",$config["email"])."');";
to
"'".str_replace("'","'",$config["email"])."',md5('".
str_replace("'","'",$config["email"])."'));";

Now you'll be a bit saver... More updates to come... (like email-double-check, or adwords integration)

PS: Don't forget to run eggblog in an dedicated database with its own user!

Update 2: For some reason, every question mark gets an ω... I'll go over this when I have time...

Update 3: You could also do the md5 in php instead of in mysql. But this makes, imo, only sence, when your  mysql and php/web server are on different machines.

Update 4: Just fixed another bug: If no article was found (for example by spoofing id) ther was an ugly mysql error. To fix this, change line 182 of eggblogg/_lib/news.php from
return mysql_result($query,0);
to
        if (mysql_num_rows($query) > 0) {
return mysql_result($query,0);
} else {
return "true";
}
By the way: I like this blog as long as more: It's design is straight-foreward and realy easy to learn. Fixing / Changeing something is realy easy... ~Chris

 

Del.icio.us Digg Technorati Blinklist Furl Reddit Facebook

Comments

Submit Your Comment

You are not logged in.

Log In

Search

Articles