MOFHY Lite is a free web hosting management system to manage MOFH hosting accounts and SSL certificates.

When I click an navigation button, it sends me to the page but without a / between src and admin. Only provides a 404 error (as expected) Any help would be appreciated.

I use this script in Https://account.easyteach.tk/ Every thing is fine but mail sending system is not working I tried Gmail ,own server , mail gun SMTP Please solve

This issue has been disclosed privately to the author (on Jan 8th) but it's taking too long to be fixed.

The following text are mostly copied and pasted from the email: I noticed the use of LEFSESS cookie to remember a user login. This can easily be manipulated and can be used to take over someone else's account just by knowing their email address. If you know someone's email address, you can base64 encode it and set it as the cookie. This screenshot shows that the vulnerability works. On the left-hand side is the Client Area accessed by manually logging in. On the right-hand side is the Client Area accessed by just editing the cookie for LEFSESS using this website https://www.base64encode.org/ and appending "%3D%3D" at the end of the encoded result to the cookie. This is a very critical problem and must be prioritized.

Affected files:

• src/function/Login.php (set cookie part).
• src/handler/CookieHandler.php (entire logic).
• And other files that handle the ADMIN cookies.

Describe the bug Ummm,Cant Create Account,Getting Somethin Went Wrong Error. IP Already Set Callback too

Desktop (please complete the following information):

• OS: MacOS
• Browse : Safari
• Version: 12.0.1

Smartphone (please complete the following information):

• Device: Realme XT
• OS: Android,Realme UI
• Browser : Chrome
• Version Android 10

Account Created But CA Didnt Show.

This is just a doubt. So during signup/reset password, has the verification system changed to direct link verification or still the same old token system? I have not yet updated to v1.0.5.

Fatal error: Uncaught GuzzleHttp\Exception\ConnectException: Error while connecting to the host in /owo/owo/owo/owo/public/owo/modules/guzzlehttp/guzzle/src/Handler/CurlFactory.php:210 Stack trace: #0

The check to ensure a user is logged in is performed but not enforced. The user may seem to be redirected away but the underlying code is still executed. This caused requests to still be processed. I've tested it on the Admin Change Area Settings but this will work on any other functions that modify the database state and accept POST or GET requests.

BEFORE:

AFTER:

The request:

Reference and how to solve: https://www.php.net/manual/en/function.header.php

This might be the last report I'll make in this repository. I stumbled upon this flaw when checking the admin's session handler.

Hello, sorry but I have created a new hosting account with a test user, I have chosen a domain extension that I have added to my panel (.fuxy.ml) but for some reason, I create the account with a domain name with characters random apparently and also with the main extension. And it's not what I want.

Would you dare to access my website and try it out for yourself?

I had already installed Santi's version and the exact same thing happened to me.

https://img.aoli.ml/mcDUehO.png

This issue has been disclosed privately to the author (on Jan 8th) but it's taking too long to be fixed.

The following text is mostly copied and pasted from the email: On src/template/ViewKnowledgebase.php line 4, you are using $_GET without any sanitation such as htmlspecialchars (https://www.php.net/manual/en/function.htmlspecialchars.php) which caused an XSS vulnerability. I only spot this one area, but there might be more. (XSS can be used to send requests on behalf of the user, so don't take this lightly)

It's here! Added Google ReCaptcha functionality on login and signup pages. Because I'm lazy, you're going to have to add the keys manually (It's only 4 files, not bad at all). I also updated the install instructions to make them easier to follow, and to guide new users in Google ReCaptcha setup.

I downloaded the source, then installed it on my reseller hosting site, then I tried to edit client account and that settings.php is missing on admin/settings.php

Parse error: syntax error, unexpected '?' in /home/vol14_5/boomhost.ml/www/area.boomhost.ml/htdocs/admin/template/MySSL.php on line 30

and mail dont work php version 5.6 then i change to 7.4 but dont help

mysqli_real_escape_string CAN PREVENT SQL Injection BUT it cant FULLY PREVENT SQL Injection. So,Its Safe But Unsafe? xD https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string

Describe the bug The application echos un-encoded GET values

Expected behavior The application does not echo un-encoded GET values

Screenshots Example:

Additional context The following pages have the error: src/admin/template/AccountSettings.php:5 src/admin/template/AccountSettings.php:5 src/template/ViewAccount.php:4 src/template/AccountSettings.php:6 src/template/ViewSSL.php:4 src/template/cPLogin.php:5 src/template/ViewKnowledgebase.php:4 src/template/ViewKnowledgebase.php:4 src/template/ViewTicket.php:117 src/admin/template/ViewAccount.php:4

In admin panel mofhy When I entered and update api key . It send me do this page https://account.easyteachhost.tk/admin/function/BuilderSettings.php But in mofhy it is not available . Please add this