CuteNews 1.5.0 release notes. 1.0 CHANGELOG - Updated modules system (they are saved in php files now and gets own template from skins/base_skin folder); - Almost completely rewritten code in a standard programming (in order to be more readable); - Fixed a function “send_mail” (in case of an error the message will be saved in the log file); - Fixed ban by IP and ban by mask errors; - Improved the Administration Panel performance, also accelerated user login identification; - Improved reading of big archives (only brief description of archives are loaded into memory); - Completely rewritten installation script (this allows to simplify the installation process); - Created updating script from 1.4.7 to 1.5.0 version (this will simplify the transfer of data with respect to any original charset); - Improved the data filter for news and comments; - Using HTTP header “Content-Type: UTF-8” - More safe template use (if there is no template, the template `Default.tpl` is selected); - Call of the file through “./” is not used anymore. The absolute path is calculated by dirname; - Removed deprecated functions (this allows to launch CuteNews by using PHP from the version 4.0.3 and higher); - Fixed bugs by the comment addition; - Fixed composing bugs in the text editors; - Saving configuration won't redirect user to the new empty window anymore; - Simplified the password changing procedure in the Privacy settings (This hasn't effected its safety in no way); - Fixed images inserting bug in the text editors; - Fixed images showing bug in Manage Images; - Fixed the comment saving by the news editing from the Administration Panel (now supports UTF-8); - Text can be divided into parts without spaces; - Improved the access to the news categories for users with different kinds of permissions; - A new check for the correct completion of the comment field (Captcha can be seen in case the field has been filled incorrectly); - A new way of the guest data storage in Cookies and password checking on Remember (by the comment addition is used SHA256); - Fixed the data backup bug; - Fixed bug of warning on wrong inserting the script, news, archives and search; - Fixed archives show bug; - Removed session authorization; - Minimized CHMOD bugs; - Support for UTF-8: any UTF8 strings converts into Unicode; - Session storage in Cookies (encrypted in XXTEA/BASE64); - Added SHA256 hash; - Improved the XSS and CSRF safety; - Developed a system of internal templates; - Added use of PHP templates and frontend code; - Use of serialize/unserialize functions to expand the record presentation in the database; - Developed record storage as hash keys to speed up the access to data (such as users, news, IP ban); - Error log is now in a separate file; - Added an ability to write your own plug-ins; - Plug-ins structure allows to change the CuteNews code (forks) completely; - Added date formation by user; - Added system of compilable hooks which can be controlled from the Administration Panel; - Inserted “Breadcrumbs” into some modules of the Administration Panel; - Created user log (record of information on log in, log out, unauthorized access to personal data errors); - Added function of changing date for the “since” format; - Locking users after 3 unsuccessful log in attempts to Administration Panel within the 6 hours; - Added {star-rate} field for embedding the build-in voting form; - Added {year}, {month}, {day} fields into the full news and RSS pattern; - Added new special symbols (umlauts); - Added check for the avatar URL on the correctness and existence and automatic storage to the server; - Added captcha for comments: with numbers and letters; - More safety by user registration and password restore; - Added check for password strength by registration; - Simplified inserting “Fulltext” search (UTF-8 supported); - Proper display of the complete article, included in multiple categories. - Improved Dashboard at the main page of Administration Panel; - A more precise definition of permissions to read / write files; - Added CKEDitor text editor (without CKFinder); - Removed outdated RTE editor; - Added build-in Facebook comments; - Added to the templater editor a new template “Customize Search” that allows to customize the search field; - Added code dump storage module for further sending into consideration (for licensed versions only!); - Integrated module of additional substitution of words, which allows the user to specify the rules of regular expressions, how to convert news data; - Added X-Fields, additional fields that can be used for expanding information on every news; - Added ban by IP and by nickname; - Added build-in news sorting option (“$orderby” before including show.news.php), the algorithm QuickSort is used; - Added the ability to mix the news randomly; - Added news displaying by user name. 1.1 Requirements - PHP 4.1.0 version is desired. Please use the older versions at your own risk; - There is “iconv” library available, in case of using a charset different from UTF-8. ________________________________________________________________________________________________________________________ 2.0 Safety improvements A In order to authenticate and verify the security algorithm used XXTEA session Cookies. The essence of the method implementation: 1. In the session is added REMOTE_ADDR to block repeated requests; 2. Serialize $_SESS array into serialized string; 3. Serialized string is encrypted using a randomly selected XXTEA with “salt” for the site; 4. Encrypting a string is passed to the Cookies named `session`. What it gives? Protection against CSRF and open view of identification user data. In order to properly encrypt data and send them fraudulent manner, you need a “salt” and the IP address of the sender. Salt is unique for each site and set consists of a 512-bit encryption. The probability of selection of the cipher salt is actually zero. Each time you update a random number issued to confirm the return to the user, which is stored in an encrypted session. You also can not resend the same token to another IP-address, since the encrypted data is IP-address of the sender and any attempt to send the wrong line leads to unlogin. However, nothing can protect any data from the session, and “listening” to, if not using a secure https-connection. To install it you have to buy a registrar certificate for your domain. Read more here http://en.wikipedia.org/wiki/HTTP_Secure B CAPTCHA The main problem in the web space is still spam. For writing news comments and for account registration captcha has been added, which uses session encryption mechanism through the Cookies, so that hacking by robot is impossible, too. The information is stored securely. C A function cleaning almost every XSS written by an offender in the comments or posts has been created. D Enhanced protection from the folder view with .htaccess has been added.