David191212 submitted a new resource: PEXAdmin - Web-interface to view/edit permissionsEX data Read more about this resource...
Connect to your server in ssh, uncompress the PEXAdmin_v1.0.zip archive in some folder and set your virtualhost to serve the '/' folder into the public folder. let me know if you have further questions
I strongly recommend against using Secure Hash Algorithm 1 cryptographic hash function to store passwords. Reconsider please; https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet Code (Text): if (!empty($_POST['login']) && !empty($_POST['password'])) { $paramLogin = $_POST['login']; $paramPassword = $_POST['password']; $username = strtolower($paramLogin); $password = sha1($paramPassword); $userList = (new Config())->loadFromJSONFile(APPLICATION_DIR.'/Config/users.json'); $checkedUser = $userList->getOption($username, false); if (!empty($checkedUser) && !empty($checkedUser['password'])) { if ($password === $checkedUser['password']) $user = $checkedUser; $user['login'] = $username; unset($user['password']); } } Does the framework actually clean the input? (because I do not see it) Or is this open to SQL injection big time? I find it dangerous that it appears that there's no input sanitization for a script that's potentially open to the web, with access to PEX as a full blown admin who's pass can easily be obtained through poor sha1 hashing, and allow that person to set perm * on them to get all access to the minecraft server. Hopefully I just dont understand this framework and unsanitized input is actually processed by the framework before being processed by php/sql.
The user's password are stored in the config file 'users.json' which is not publicly accessible (and are protected by 'Deny from all' directive for the 'no parent folder' flavor) All MySQL statements uses prepared queries through PDO, so no injection is possible
Glad to hear, still strongly recommending against using sha1. This has never been a safe choice for passwords, and will never be.
Got it about the sha1 I will add a option in the config file to let the user choose between sha1 and bcrypt hash algorithm.
David191212 updated PEXAdmin with a new update entry: Security update Read the rest of this update entry...
I tried to install it on my Fedora machine, and I keep getting this message. http://prntscr.com/hsosxv
Hi TheWizard54, Did you set the database credentials ? The DSN and credentials must match the ones provided in PermissionEx's sql backend config If you still have problems, please turn on the PEXAdmin debug mode ON by adding the following line in the .htaccess: Code (Text): SetEnv APPLICATION_ENV development Then tell me which error message appears and I'll try my best to help you
It seems that PHP cannot find the mysql driver try this Code (Text): yum install php-mysql then restart the httpd server
