Hello! I discovered Feindura only recently, when I was looking for a CMS for my small page. It looks nice and well designed to me, however I found some disadvantages which prevent me from using it for my tasks. I thought it would be useful to report them. First of all, I want to build a multi-language website with the Russian as a primary language. However, Feindura does not let me choose the 'latin' page name for a page with a name in Russian. I believe, it would be convenient to have an ability to edit a link to the page by hand in such cases (although, the Unicode URLs are allowed nowadays as well, if I'm not mistaking). The second disadvantage is the flash-based file upload only. It is inconvenient for the users like me, that do not use Flash-plugin. I wrote some of my thoughts about this problem in the 'Ideas' section here: https://getsatisfaction.com/feindura/topics/flash_free_file_upload

Unless these two issues are fixed or I find a way to work-around them, I cannot use Feindura for my web-site. Which is a pity, because I like Feindura look&feel very much!

Regards, Vladimir

the regexp to replace the <img class="feindura..." also matches img tags without a class attribute. If my page contains

<p>
some text
<img src="image1.jpg" />
<img src="image2.jpg" />
some more text
</p>
and some more text
<p>
<img class="feindurasnippet" />
</p>
after snippet

the resulting page after replacing the snippet is

<p>
some text
<<content of snippet>>
</p>
after snippet

Add the abbility to eg. create a site Stub (maybe within a Category) and than be able to use that in a Page as a Template.

An example :

I have a Page with a Discography. Everytime a new Album is released the Author has to update the Site.

I create a new Site in Category 'Layout Elements' with the Template for a Album entry. If the Author has to add a new Album he then can select the Template in the editor and change all needed Content.

Any recommendation how to implement that Feature?

Hello, Fabian, I just develop a pagination plugin for Feindura you could take a look at https://github.com/victorgavilan/feindura-flat-file-cms in the plugins folder.

If you like I can do a pull request to include it in the master feindura repository.

Another thing that I would like you take a look is the cookies branch in my fork repository of feindura. There I have added the posibility for the user to disabled the use of sessions and cookies in the front end. This is useful in some european countries where there is not allowed to install cookies without the autorization of the user that visit our site.

If you think it is right and want to include this changes into feindura I could do another pull request to the master or development branch.

I'd like to see a option to disable the captcha in a contact form. It fails do appear where I installed it, and I don't need it. All others field are pretty easy to enable or disable in the settings. A option for the captcha would be great!

Hello, here is the Spanish translations for the plugins and also some fixes in the previous backend translation.

I also fix a little bug in the ZenPHP library.

Hello Developers, with me is need for assistance and I have installed the latest version of Feindura.

It was a demo site package. I have renamed only the directory "feinduraDemoSite" in "Feindura". Now I have this error in the frontend.

Strict Standards: Non-static method StatisticFunctions::getCurrentCategoryId() should not be called statically, assuming $this from incompatible context in /www/htdocs/xxxxxxxx/feindura/cms/library/classes/FeinduraBase.class.php on line 325

Strict Standards: Non-static method GeneralFunctions::replaceLinks() should not be called statically, assuming $this from incompatible context in /www/htdocs/xxxxxxxxx/feindura/cms/library/classes/FeinduraBase.class.php on line 1150

Strict Standards: Non-static method GeneralFunctions::replaceSnippets() should not be called statically, assuming $this from incompatible context in /www/htdocs/xxxxxxx/feindura/cms/library/classes/FeinduraBase.class.php on line 1151

Who can help. Unfortunately I'm unable to continue.

Thank you in advance.

I just saw a typo while browsing the source of a HTML file.

Plugin ContactForm generates class="chapta_..." but I think you meant Captcha?

"Completely Automated Public Turing test to tell Computers and Humans Apart"

Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are required to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Berlin' for 'CET/1.0/no DST' instead in .../cms/library/classes/StatisticFunctions.class.php on line 307

change the feindura interface to ajax. when changing things, like set the age status etc, always reload the by ajax, rather then reloading the whole page.

could be done easily? loading the view, an putting it in the content div.

create a function called: loadContent()?

• Fiendura version: 2.0.7 • PHP Version: 5.6.35 • Apache Version: 2.4.33 • Operating system: microsoft windows v10

VULNERABILITY TYPE: cross-site scripting.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source; the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

STEPS TO REPRODUCE:

1: login in Fiendura. 2: Go for creating a new page by clicking on the new page. 3: In the tags parameter, type the malicious javascript /default.aspx#"><img src=x onerror=prompt('0');> 4: The malicious javascript will be reflected in the browser.

PROOF OF CONCEPT:

Vulnerable URL: http://127.0.0.16/index.php?category=0&page=new Vulnerable parameter: Tags Malicious script: /default.aspx#"><img src=x onerror=prompt('0');>

1: enter the malicious javascript in the Tags parameter.

2: after entering the payload an XSS prompt will be reflected on the browser. Submitted: Ritesh Kumar Reference: https://www.owasp.org/index.php/Crosssite_Scripting_(XSS)

Hi,

I am trying to upgrade to the new version, but i get serveral issues.

1. Some functions being called should be declared as static in GeneralFunctions.class.php
2. When I try to upgrade the content the script stops working. In XAMPP it is showing the following logs

[Fri Jun 24 15:35:02.431980 2016] [core:notice] [pid 6168:tid 256] AH00094: Command line: 'c:\\xampp\\apache\\bin\\httpd.exe -d C:/xampp/apache' [Fri Jun 24 15:35:02.433980 2016] [mpm_winnt:notice] [pid 6168:tid 256] AH00418: Parent: Created child process 516 [Fri Jun 24 15:35:02.875980 2016] [ssl:warn] [pid 516:tid 268] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name [Fri Jun 24 15:35:03.136980 2016] [ssl:warn] [pid 516:tid 268] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name [Fri Jun 24 15:35:03.262980 2016] [mpm_winnt:notice] [pid 516:tid 268] AH00354: Child: Starting 150 worker threads.

On my WebSpace I can not see any logs, but the script is also interrupted. Can I call the update manually?

I am updateing from 2.0.4 Build 1025 → 2.0.7 Build 1028

I have 2.0.7 installed on MS Server 2003, and all works well...except: when in the admin panel and I expand the snippets or css divs, and select a file to edit, the page refreshes but nothing else happens and I never have the option to edit the file. Help?

Thank you for your time and a wonderful product.

Jeremy Spaulding

The header of the demo-site has no background color to the right of the window edge.

To reproduce, open the demo-site, resize the browser window to be much smaller than the site and scroll to the right.

I think the attached image makes it all clear.

Hi,

XSS is possible in URL function that is available here: https://github.com/frozeman/feindura-flat-file-cms/blob/527920f665ba0ace68e5f22a1ddc7de078108504/library/classes/XssFilter.class.php#L410

The vector is: javascript://www.xss.com?%0aalert%281%29

The regular expression you are using happily parse the above vector and attacker can execute JavaScript. The easiest fix would be instead of having a-z and A-Z in regular expression ... It should be something like http or https ...

i got a problem. if i delete the htaccess it works, if i put it back it wont.

so the settings made in the htaccess wont work on the hoster one.com.

What can i do now