JaiktDev Posted December 23, 2021 Share Posted December 23, 2021 it is owned by `@greenreader9` on the InfinityFree Forum. Quote Link to comment Share on other sites More sharing options...
JaiktDev Posted December 23, 2021 Share Posted December 23, 2021 Hello, you guys can use the following code to hide the user domain part in the vewssl.php. most face errors due to that, because they copy the whole thing, instead for the domain they have to use the dropdown in the cname section of control panel. Hope it helps ?! <?php $dot = '.'; $find = $dot.$SSLInfo['domain']; $replace = ''; $from = $Record['0']; ?> Then use the following code to echo the above variables :- <?php print_r(str_replace($find,$replace,$from))?> Quote Link to comment Share on other sites More sharing options...
TinkerMan Posted December 23, 2021 Share Posted December 23, 2021 Looks like the pricing was updates. $35 does not sound too bad... If you get it, let me know how it does! Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted December 24, 2021 Author Share Posted December 24, 2021 9 hours ago, TinkerMan said: Looks like the pricing was updates. $35 does not sound too bad... If you get it, let me know how it does! Well those plugins are for non programmers you can simply make your own plugins they are easy to make. Quote Link to comment Share on other sites More sharing options...
JaiktDev Posted December 24, 2021 Share Posted December 24, 2021 haha, i am trading with him for those with some other components.! so free. Quote Link to comment Share on other sites More sharing options...
TinkerMan Posted December 24, 2021 Share Posted December 24, 2021 8 hours ago, Shen Wei said: Well those plugins are for non programmers you can simply make your own plugins they are easy to make I agree. I’m thinking about getting the callback one so I know a bit more, most of them are easy to implement though. Quote Link to comment Share on other sites More sharing options...
JaiktDev Posted December 24, 2021 Share Posted December 24, 2021 I traded some info with the owner! Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted December 25, 2021 Author Share Posted December 25, 2021 15 hours ago, TinkerMan said: I agree. I’m thinking about getting the callback one so I know a bit more, most of them are easy to implement though. Yup Quote Link to comment Share on other sites More sharing options...
Santiago Posted January 14, 2022 Share Posted January 14, 2022 Hello everyone, I have updated my MOFHY Lite Multi Language repository and the improved are: - Language Fixes in Multi version. - Updated to the last version of the original code. - New Plugin that can be installed in any existing installation of MOFHY Lite. Quote Link to comment Share on other sites More sharing options...
PlanetCloud Posted January 15, 2022 Share Posted January 15, 2022 (edited) Dear Friends, Major critical security vulnerabilities has been discovered on MOFHY, including Project HUTSAL, and any other project that expands on them. Please monitor the issues on https://github.com/NXTS-Developers/MOFHY-Lite/issues for more details. (SEE CLOSED ISSUES AS WELL, SOME ARE INCORRECTLY COSED). https://github.com/NXTS-Developers/MOFHY-Lite/issues/52 https://github.com/NXTS-Developers/MOFHY-Lite/issues/53 https://github.com/NXTS-Developers/MOFHY-Lite/issues/54 https://github.com/NXTS-Developers/MOFHY-Lite/issues/55 It is not a good idea to use the project until the issues have been fixed. Thank you, and have a nice day! Edited January 15, 2022 by PlanetCloud Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted January 15, 2022 Author Share Posted January 15, 2022 MOFHY and Hustal are now discontinued. No more development will be held. Quote Link to comment Share on other sites More sharing options...
TinkerMan Posted January 15, 2022 Share Posted January 15, 2022 Why? Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted January 16, 2022 Author Share Posted January 16, 2022 14 hours ago, TinkerMan said: Why? I'm tired of this stuff. Quote Link to comment Share on other sites More sharing options...
PlanetCloud Posted January 18, 2022 Share Posted January 18, 2022 On 1/15/2022 at 1:58 PM, Shen Wei said: MOFHY and Hustal are now discontinued. No more development will be held. Does this include the PRO version? Quote Link to comment Share on other sites More sharing options...
JaiktDev Posted January 18, 2022 Share Posted January 18, 2022 2 hours ago, PlanetCloud said: Does this include the PRO version? Nope, it's still being available (i.e. it is will get updates) Quote Link to comment Share on other sites More sharing options...
PlanetCloud Posted January 18, 2022 Share Posted January 18, 2022 56 minutes ago, RoyalityFree said: Nope, it's still being available (i.e. it is will get updates) Ah... I see... okay. Quote Link to comment Share on other sites More sharing options...
MichaelIanEllis Posted January 18, 2022 Share Posted January 18, 2022 I am wondering if someone can help me here, I've installed Mofhy but I get a 502 bad gateway when the system tries to send email, I am using Yandex smtp. Has anyone else had this issue? Quote Link to comment Share on other sites More sharing options...
TinkerMan Posted January 18, 2022 Share Posted January 18, 2022 I would not recommend using MOFHY unless you can fix the gaping vulnerabilities. In any case, check your SMTP, and try using GMAIL to test it. Quote Link to comment Share on other sites More sharing options...
MichaelIanEllis Posted January 20, 2022 Share Posted January 20, 2022 That's a good point why haven't I done this, ?♂️ Quote Link to comment Share on other sites More sharing options...
User51 Posted January 21, 2022 Share Posted January 21, 2022 Currently, anyone can access anybody's account on MOPHY-lite by knowing the end-user's "hosting_client_key", which can be easily done by brute forcing numbers 0 through 999,999: https://github.com/NXTS-Developers/MOFHY-Lite/issues/53 However, what if you change the code, so that when the end-user signs up, the "hosting_client_key" doesn't generate numbers 0 through 999,999, but instead uses a combination of numbers and letters? This makes it much harder to brute force. Or will doing this break something? (My apologies if this is the stupidest idea ever) While this is probably not the most ideal solution, it is at least a somewhat efficient way of dealing with the problem, until an actual fix is made. Quote Link to comment Share on other sites More sharing options...
JaiktDev Posted January 21, 2022 Share Posted January 21, 2022 The community plans to replace it with tokens (more secure) Quote Link to comment Share on other sites More sharing options...
User51 Posted January 21, 2022 Share Posted January 21, 2022 Yes I've heard on GitHub. 1 hour ago, User51 said: until an actual fix is made Until then, would it make sense to do this? Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted January 21, 2022 Author Share Posted January 21, 2022 5 hours ago, User51 said: Currently, anyone can access anybody's account on MOPHY-lite by knowing the end-user's "hosting_client_key", which can be easily done by brute forcing numbers 0 through 999,999: https://github.com/NXTS-Developers/MOFHY-Lite/issues/53 However, what if you change the code, so that when the end-user signs up, the "hosting_client_key" doesn't generate numbers 0 through 999,999, but instead uses a combination of numbers and letters? This makes it much harder to brute force. Or will doing this break something? (My apologies if this is the stupidest idea ever) While this is probably not the most ideal solution, it is at least a somewhat efficient way of dealing with the problem, until an actual fix is made. Well it is good idea but there it will need to change database structure Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted January 21, 2022 Author Share Posted January 21, 2022 5 hours ago, User51 said: Currently, anyone can access anybody's account on MOPHY-lite by knowing the end-user's "hosting_client_key", which can be easily done by brute forcing numbers 0 through 999,999: https://github.com/NXTS-Developers/MOFHY-Lite/issues/53 However, what if you change the code, so that when the end-user signs up, the "hosting_client_key" doesn't generate numbers 0 through 999,999, but instead uses a combination of numbers and letters? This makes it much harder to brute force. Or will doing this break something? (My apologies if this is the stupidest idea ever) While this is probably not the most ideal solution, it is at least a somewhat efficient way of dealing with the problem, until an actual fix is made. Issue fixed according to your guidelines Quote Link to comment Share on other sites More sharing options...
PlanetCloud Posted January 21, 2022 Share Posted January 21, 2022 Just in case it is missed, I've filed another issue on the original repository:https://github.com/NXTS-Developers/MOFHY-Lite/issues/60 48 minutes ago, Shen Wei said: Well it is good idea but there it will need to change database structure Not much needed to be changed but this is also a bad idea. Using a fixed/same string/token as a "remember me" token is a super duper bad idea because not only is the string short, it is fixed. That means unchanging for a long time (or even forever) and brute force can still be performed. The correct way is to use a longer token that expires after a certain time. This way even though a brute-force is launched, it will be useless because the token would've changed after said time. Some site allow 7 days, while others 60 days. It depends on the strength of the token itself. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.