phpHaze v2

03/22/2010 phpHaze v2

Sorry about the recent downtime, for anyone who may of actually been visiting the site. I had it turned off for about a year while I sorted some things out in life as well as work on the latest version of phpHaze.

I've got the new version up and running now and have began to convert the data from my old site to fill up this one. Feel free to go ahead and register and help me test things out if you wish. I'll be back to updating this application on a regular basis, as I have a good number of clients that are now using the technology.

Been very busy the past year or so and I will post about all of that in another entry later in the week, for now I'm going to paste a list of some of the things about phpHaze 2 that make it different from its predecessor. Enjoy...

But why phpHaze v2? I thought phpHaze v1 (1.59.2, to be exact) was the most secure and everything was fine and dandy as-is?
To make a long story short, you are wrong. Even though phpHaze v1 is more secure than 99% of the CMS applications out there, phpHaze v2 is still more secure. phpHaze v2 is organized, designed, and laid out better. With the common developer in mind, we bring you phpHaze v2. Yes, we know, v1 was still beta. This one is certainly alpha.

1. Even Stronger Security!

Introducing unique-key 64-bit encryption:

- phpHaze v1 uses unencrypted cookies for the base of its user login system. If md5 can be decrypted, cookies can be hacked and thus the security of your site is compromised.

- phpHaze v2 uses not just encrypted cookies, but un-decryptable cookies because it attaches a unique-key to each encrypted string. The string is first encrypted using base 64-bit technology, and then the unique-key is encrypted, and attached to it. An attacker must know the unique key in its unencrypted form (stored safely in a non-public directory on your server, outside the HTML root) to decrypt any data by phpHaze v2. Only if an attacker gains access directly to your FTP can he compromise your secure encryption with the unique key. Otherwise there is no way to retrieve it, inside or outside of the system.

Note: if your server does not support the MCrypt module, then unique-key encryption will not function properly. Instead, phpHaze will encrypt data using basic 64-bit encryption which can be reversed (decrypted) by an attacker. However even so, the password is still encrypted using unique key, which is NOT dependant on MCrypt, so it is still highly secure, just could be more secure. See later, "Changed password hashing from md5...". Note that all Heritage servers by default are compiled with MCrypt enabled, so this will not be an issue.

- As mentioned earlier, another new feature of the security is the moving of the main config file to a directory outside the HTML root to make it inaccessible from the web, the script, only by FTP.

- All requirements for Register Globals to be enabled have been removed, thus removing the listener from the core; thus making phpHaze that much faster.

- Changed password hashing from md5 (technically double-md5) to random salt + sha1. Enjoy, attackers! If I hear even one rumor, even if probably false, that sha1 was broken, I will double the encryption there as well, even though the random salt keeps it secure as a single layer. You heard right: I will double encrypt sha1 + use the random salt if I really have to. Test me.

- Updated imgSafe function to account for php scripts; scanning uploaded images through the system now detects for a much wider array of possible exploits using images, including but not limited to PHP scripts of any type.

- Fixed array bug in isNum function; could have posed a minor security risk, possibly? Not too serious, but a security fix none the less as isNum is primarily used for security reasons, on various numeric $_GET requests in the system.

- phpHaze v1 allows you to edit the account data for the primary system administrator, "user_id = '1'", the first account ever created (from the admin panel). phpHaze v2 disables this feature in its entirety, the first system admin won't even be returned as a possibility, in ANY user-admin result. Only the first user themselves can update their data, via the personal account page. You'll never see their result in your new admin area.

- encrypted messaging

2. User Level management

- No more static user levels (member, mod, admin, etc). They are now dynamic, served by your admin panel with a new area to manage them totally. System-based levels (the old ones) are non-removable and can only have their name and rights edited at any given time. This is to prevent possible fatal issues should you accidentally remove or edit the wrong piece of data for a system-required level.
- However, you can add as many new levels as you like. We are using a large number, 99999, to base the access from; technically you have about 80,000~ possible user levels between default member and moderator. You can also add about 10,000~ between the various administrator ranks.
- Nothing is infinite, not even user accounts (you could technically only have a current maximum number of accounts, or accounts ever created, of assumingly 999,999,999,999,999. It stops there, as an example of how a system like this really works. Even with PHP-Fusion, which phpHaze is a direct spin-off of, or a spawn of, if you will -- it is not unlimited or infinite. With PHP-Fusion, it is actually alot less than a 15 digit number, it used to be 5, but I think v7 of PHP-Fusion upped it to 8 as they started to hit maxes on big sites. phpHaze basically doubles this, for further ensurance that you won't hit these limits unless you actually attempt to. Note in PHP-Fusion there is NO user level management what so ever.

3. Better Theme System

- The new theme system is more flexible, giving you control over <html> to </html> of your sites output; with the obvious exception of complex administration areas. As a whole, the theme system has been rewritten totally, and hopefully will not need future adjustments as updating custom themes with an upgrade package can be a complex and non-universal process such as system updates. Inconsistencies can occur, easily. Lets try to get it right the first time, with phpHaze v2 (starting to see why we had to go to version 2, rather than 1.6? 1.6 simply would not support this system framework, at all)

3. Better User management

- The new advanced user management area is loaded with features, to name a few:
-- Pagination: splits user results into multiple pages
-- User search: ability to filter user results by partial/full -- username/email/IP
-- Mass user deletion using checkboxes
-- Import Users: you can now import a spreadsheet (CSV) of user data. This allows you to add multiple accounts at once. Useful for large corporations with data already on file prior to installing phpHaze. As a direct result, you can also export existing accounts (CSV). phpHaze knows what to do when adding accounts with pre-encrypted passwords, or plain text passwords (differed by import and then export/delete/import). Yes, clever wasn't it?
- Not to mention you can also now disable the requirement of administrator activation for new accounts, which gives you flexibility over a private or public style website.

4. Localization

- phpHaze is now mostly (99%) controlled by language packs (where in v1, the percentage was roughly... 2%?). It only comes by default with the English language pack, you are free to create your own and install them at your own leisure. However, modifying any other phpHaze code is against copyright law. There may be minor parts to the language pack are static, not controlled in the packs themselves. We will address these during service releases, as some of the features in phpHaze cannot be localized as they are far to dynamic. Later service releases will address this issue and a compromise will be made in the programming to make it possible; at this point however, there is not even a demand for anything besides English, we are just preparing it for more languages in the future, so theres no real rush to update the language pack past the current point unless absolutely necessary.

5. Even more portability

- Multiple settings sets: You can save your current settings as a backup set, and you can use this to have multiple installations of this system with different languages or themes; which utilize the other settings sets. You can also use them to simply restore sets of settings, which could fix issues you may have when changing your settings; should you choose to create a separate copy when you save them.

6. Better "Help Logging In"

- Did away with the forgot password feature totally. phpHaze now uses a more secure version to reset your password via an encrypted key sent via e-mail to your accounts address on file.
- Added "Forgot Username" feature that will send current username text to account email; not as sensitive as password, so it can be sent (not reset like password)
- Moved forgot password to need help logging in page, replaced forgot password on login box with Help. More straightforward.

7. Module driven

- A lot of the stock features in phpHaze are modular. Meaning you can disable and enable them at any time, which will in turn let the system know you want anything related to this module disabled elsewhere as well. Its mighty useful, trust me.

8. System organization and heirarchy

- The system itself and folder structure are just organized better, overall. I rewrote and redid EVERYTHING, literally; character for character file for file. Moved files around, etc. It makes it easier for fellow developers to find what they are looking for, and also to apply updates with as minimal files as possible.

9. It's faster.

- Made use of caching to store the latest haze version; prevents need for fetching on every admin page reload, and only on the index page at that. Admin panel now runs many many times faster than in the past.
- Removed all unnecessary scripting that may slow system noticably (without account for size of database)
- On the templating/theming side of things, I've attempted to minimize javascript and inline CSS as much as possible. 99% of scripting and CSS styling happens in the theme itself, not the system like in the past.

10. Other stuff

- Updated all classes used by phpHaze (phpmailer, httpdownload, smtp, etc) to their latest versions

[Coming Soon]

- Virtual Cronjobs: instruct phpHaze to run certain scripts on certain days & times, like the cronjob manager in cPanel.

Latest Comments