Topic: CuteNews 1.5.0 Review
Time to grab a cup of coffee, here are my thoughts and findings after a few days of testing!
Review
CuteNews 1.5.0 beta brings about very groundbreaking changes. The code has been restructured, non-ASCII characters are finally supported in a very native manner and new features facilitate various tasks. The design has been refreshed while staying loyal to the basic style. Still in its starting steps, there obviously aren't many plugins one can add to CuteNews just yet, but I'm very convinced of the CuteNews 1.5 branch and I think it will be very fruitful.
To name a few things I really like:
- The new preview function in the 'Add News' module,
- additional fields in Add/Edit News natively supported,
- the example files example1.php and example2.php linked on the admin main page,
- edit link displayed in show_news.php when one is logged in.
- The change log is provided for CuteNews 1.5.0 - very useful reference.
- WYSIWYG enabled by default probably better for the broad audience.
- Errors are now handled with an exception catcher, nice way to store logs. Downside here is that errors aren't outputted anymore, so if something is wrong, the user isn't immediately informed. Advantages and disadvantages. Definitely a good feature for a fancy polished version of CuteNews, right now, in its beta stage, less.
- show_news.php, show_archives.php and search.php can't be viewed anymore directly. First I was neutral/negative towards that change, but come to think of it, it's probably a good idea. One could gain a lot of information from those files — information the CuteNews admin didn't necessarily want to share.
Naturally, there still are some issues and I'd like to point out the ones that I've found. I don't dispose of endless time but will try to supply bug fixes as time goes by; therefore, I'd be thankful for a heads up if something listed here has already been fixed in CN 1.5.
Bugs — Things that need fixing. I tried to sort by severity, but that's my personal order, of course.
Executable PHP code in templates
Location: ?mod=options&action=templates
Description: Writing "HTML;" in the templates will allow one to post PHP code after, e.g. "HTML; / phpinfo();", the character / being a new line.
No input filter on backup name
Location: ?mod=tools&action=backup
Description: A name such as "../" or "[]" can be supplied as backup folder.
No input filter for image deletion
Location: ?mod=images
Description: With some tampering, one can delete files outside of the uploads folder. For instance, the server will accept strings that start with ../
Faulty CSRF check in editnews
Location: ?mod=editnews&...
Description: Approving an unapproved news article doesn't work. It always complains about a failed CSRF check.
CSRF problem in image upload
Location: ?mod=images
Description: Clicking on the 'Upload' button twice will result in a CSRF error, which is handled in an odd way. The page appears to embed itself.
Half of README.html is a link
Location: README.html
Description: The following invalid HTML can be found in the file: [url=https://cutephp.com/forum]Forums<a/>. Half of the page is a link... I put this as relatively important because the readme file is something that will be looked at in the beginning, and it's good to make a good impression.
Case-sensitive regexp for link check
Location: -commenting-
Description: "http://" with any majuscules, such as Http://korn19.ch is not recognized, while http://korn19.ch is.
Escaping " for unban link
Location: ?mod=ipban
Description: Entering a ban with the symbol " is accepted and is not escaped in the unban link; it breaks the link.
Input filter for | in IP ban
Location: ?mod=ipban
Description: You can enter input with the symbol | in it and it won't get escaped. E.g. test|3|320984 will work and the data will be displayed accordingly (times blocked: 3; expires: ...).
Login Ban doesn't work
Location: -login into admin panel-
Description: When I enter false login credentials even just once (isn't that a little harsh?), it says I'm banned for an hour, but logging in with the correct details works without any problem. It also counts an empty login (empty user name and empty password) as invalid login.
Additional fields: multiple non-critical issues due to lack of checks
Location: ?mod=tools&action=xfields
Description: a) It is possible to create existing fields, such as 'title'. The actual title field will then be ignored and only the second, additional 'title' field will count and overwrite the first title. See also issue e)
b) Leaving out the second parameter ("name for admin panel") and submitting will return the message 'successfully created', but in fact nothing has been changed.
c) There is no input filtering whatsoever, it is possible to submit things such as ";|{} ";}. It doesn't mess up the internal structure of the database, but some can't be removed afterwards.
d) The XField names aren't filtered upon output, so it's possible to break the HTML with something like "> test. No problem if issue c) is fixed with a proper input filer.
e) Related to issue a) -- existing XFields can be overwritten by creating a new field with the exact same name.
No input checks in System Configurations
Location: ?mod=options&action=syscon
Description: No input whatsoever is filtered, but nothing (to my knowledge) can break the file's syntax. Settings also are displayed back as-is, so if I write HELLO in "comments per page" it will show that again, rather than showing 0, 1 or some other default value. While any value is accepted for all settings, it won't ever cause any errors (to my knowledge), so it's not that important.
One notable thing is that you can send the auto-registration level as "1" to the server and newly registered users will then be granted admin rights. System Configurations are not CSRF-checked, so there's a possible hole there. Unanswered: Does sending an invalid permission level (anything outside of 1-4) cause errors?
Add/Editnews: | turns into I
Location: ?mod=addnews and ?mod=editnews
Description: Any occurrence of the character | in a news title will be replaced as I - the capital form of i. I feel bad for posting this because this bug also existed in the CuteNews 1.4 branch and possibly before... it's kind of funny.
No input validation in personal options
Location: ?mod=options&action=personal
Description: Any input is accepted as password, e-mail and avatar URL. No way to mess up the database or the output, though.
User logs: Lack of filtering/escaping creates a few non-severe bugs
Location: ?mod=tools&action=userlog
Description: a) No character escaping on $_GET params, e.g. ?month_s=">hello works and displays the HTML.
b) Supplying an octal number (0x1, 0x2, etc.) for the "entries per page" criterion shows the page numbers, but no entries.
c) Any invalid input in the 'from' year and any valid years up to 1969 make an additional entry appear, where it just says that it happened "42 years [...]" ago. Also writes an error the log file: Warning: mktime() expects parameter 6 to be long, string given; /inc/tools.php:315
d) Big negative numbers seem to cause some sort of trouble — the page takes a lot longer to load.
Issues B through D can be solved by checking that the years are > 1990 or something.
New user has timestamp as avatar
Location: ?mod=editusers&action=list
Description: Upon creating a new user, the user will find a UNIX timestamp in his avatar field. Probably a messup in the database order when the user gets created.
No input validation during installation
Location: - [installing CuteNews 1.5.0]
Description: Any sort of characters can be supplied as user name and password; e-mail doesn't have to be valid. For instance: registering the user name "; \ \n ' is accepted, but login fails after. This is not a huge issue as the characters are escaped properly, but virtually any input is accepted.
Infinite loop of errors when ban file missing
Location: ?mod=ipban
Description: If ./cdata/db.ban.php doesn't exist, the script will appear to be loading endlessly and it floods the error log with error messages. Not sure if that can happen with other data files as well. My error log was almost 200 MB and I just tried loading the module twice.
Input filter in News Wizard
Location: ?mod=wizards&action=news
Description: Wrong input will cause PHP code that will not run. Of course no smart person will request A articles per page, but even entering a space will cause code like $number = ;
New IP ban defaults to "1 time blocked"
Location: ?mod=ipban
Description: Upon banning an IP address or nickname, it will default to "Blocked: 1" instead of 0.
No response from cutephp.com version check
Location: ?mod=about
Description: There's a JS file from CutePHP.com that is supposed to give feedback about the version of CuteNews (whether it's up-to-date or not), but the file returns nothing. Posted last because I'm not sure if this could be intentional behavior when the version is indeed up-to-date?
Inconsisten or Unintuitive Behavior, "Halfbugs" — This is kind of between 'bugs' and 'suggestions'; it's arguable if it's really a bug
Nicknames and IP addresses together in IP Ban
Nicknames can also be supplied as banning criterion in the IP Ban module. This is kind of dangerous if one would want to ban the nick name *.*.*.* for instance, which will be interpreted as an IP address and disallow everyone from commenting. It'd be a funny troll...
Lacking CSRF checks
Deleting a category or a news article is not CSRF-checked; nor is the process of changing system configurations, which is potentially dangerous.
"Go back" link in IP Ban error message goes to main
Upon an error in the IP Ban module, the usual "go back" doesn't point as is usual to the according to module but it sends the user to the main page.
Forced to comment as user name when logged in
Cutenews now detects when one is logged in. When a user who is logged in wants to comment, the comment form appears the same - including the 'Name' field that can be changed. However, if one is logged in, one is forced to comment with one's name — I find that unintuitive, seeing as the 'Name' field can be edited.
News Preview: Edit and Comments Link
The Addnews module now has a preview function, which is awesome, but clicking on the symbolic 'Comments' and 'Edit' links will send the user to an invalid link and the back button won't work to get back (at least in Firefox). Thus, the user may potentially lose a lot of text due to a simple mistake.
No expiration date in IP Ban
Description: No expiration date can be set when you ban a new IP address. This is a bit weird, since 'expires' is displayed as a prominent value. The 'expires' value gets used for faulty logins, but one might as well add that option for manual bans as well.
Deleting onself can't be done, CuteNews doesn't complain
When attempting to delete onself via the Add/Edit Users module, CuteNews will say that the user was deleted, but that's not true.
Offer to look up nicknames on IP lookup site
In the IP Ban module, it is also possible to ban nick names. Banned names are also clickable and will go to ripe.net, an IP look-up website. Passing a nick name as argument is silly, of course. The same applies for IP ranges such as 283.85.*.*
No HTML in preview
The Preview function in the Addnews module shows the HTML tags as plain text. Not sure if this is intended as some sort of security measure.
Input Filtering in RSS
As with the news wizard, any supplied input will be accepted and it will produce invalid RSS files. This is rather trivial, since no one will be entering %&*@&# as encoding and then expect a valid RSS file.
Backslash disappears
The backslash symbol disappears at various places. I know that symbol is a pain and it's not really important, so this is just mentioned for the sake of completeness.
Suggestions — Some personal wishes I have about future CuteNews version
E-mails should be hidden by default. I don't like the idea of installing a script and it will automatically (after the first article submitted) show my e-mail address on the internet with a mailto: link. The same applies to new users that get created.
Required XFields should be shown by default. It saves time to the user to already show required fields, since those will have to have a value anyway.
Better explanations would be useful, this particularly for the system configuration settings "XSS Strict", "Enable User Logs" and "Check IP"; also for "Use UTF-8" and "HTML to Entities". The Replace Words module actually replaces content from the news articles (not comments), that would be good to know.
Plugins I know CuteNews 1.5 is still in its baby steps, but I'd welcome more information about the whole plugins system. Explanations in the Plugins module for users, including a link where some can be obtained. A system on CutePHP for plugins would be great, perhaps comparable to <a href="http://plugins.bukkit.org/" target="_blank">Bukkit[/url]. I'd also love some pointers as to plugin development so other people can contribute.
This is of course not a priority at the time and I'm sure more will be known as CuteNews progresses! (Y)
Hiding the admin page from Google (with the appropriate <meta> tags) should be an option to consider. When a huge security hole got popular in 1.4.5 one big factor as to why so much damage was done was that one could simply search Google for "powered by CuteNews" and find tons of potential victims. It's also beneficial if it isn't possible to search specifically for install pages that have never been completed.
Error log viewer so one doesn't have to look at the errors via FTP or similar. I have feeling the new CuteNews authors will be against this, but if it is possible, I'd love to make a plugin for that.
I love the preview function and would therefore like to have the preview function in editnews as well.
Nicer errors in the image module when a file couldn't be deleted would be nice. This is obviously not a priority but appearance plays a big role. Currently, it just outputs 'could not delete image' (for instance: which image?) above the main CuteNews design.
A nice page after news was added might be worth considering; its redirecting to edit news and saying 'your changes were saved' came as a surprise for me.
The update CuteNews module requires allow_url_fopen which isn't exactly a setting that should be suggested to enable. (To my knowledge) the module doesn't check if it's enabled, it just gives a rather serious looking error when it can't load the files; giving the impression that something is wrong with the server, while it's fine — if not to say recommended — to keep allow_url_fopen disabled.
I love the user logs! I wonder where you got the idea from . It might be more valuable if it registered more than just CSRF fails and logins, e.g. when someone changes system configurations or edits a news article.
Language — Some wrong or weird sounding things
Square brackets [] in my proposition denote things that can be added or left out.
* print.php: lang("The news you what to print was not found", 'print');
Proposition: lang("The news you want to print was not found", 'print');
* Add/Edit Users module: The submit button says "Do Delete"
Proposition: simply "Delete"
* Add/Edit Users module: Error message saying "Not valid Email"
Proposition: "The e-mail [address] [you've entered] is not valid."
* In the Options and System Configurations sections, some names have All Words Capitalized while others don't. I suggest only to capitalize the first word in the system configurations.
* System Configurations (News): option title "use rating", description below "is internal CuteNews system"
Proposition: "Use rating" is fine, the description produces an invalid English sentence. Perhaps something like "use internal rating system".
* System Configurations (News): title "Make backup news", description "when you save a backup of news is done"
Proposition: The title is fine, the description is weird. This needs at least a comma: "when you save, a backup of the news is done", or perhaps "when you add [or edit] news, a backup is made".
* System Configurations (Comments): "newest comments will be shown on the top"
Proposition: "newest comments will be shown at the top"
* System Configurations (Comments): "Allow Mail Field to Act and as URL Field"; description: "visitors will be able to put their site URL insted of mail"
Proposition: "Allow mail field to act as URL field"; description: "visitors will be able to put their site URL instead of [an] [e-]mail"
* Backup module: "BackUp" can be seen a few times, "backup" is a valid word and shouldn't be capitalized in the middle. (looky)
* Templates error: "The name of the template must be only with letters and numbers"
Proposition: "The name of the template may only contain letters and numbers" — other variants possible
* Archives: Help link: "Explaining archives and Their usage" — weird capitalization
* Adding a comment: When logged in: "You logged as member", error: "try again with me username" (Yarr! We pirates?)
Proposition: "You are logged in as a member", "try again with your username"
* Many places: "can not"
Proposition: "cannot" — Both are acceptable but "cannot" is more common.
* Some file (I forgot): there's a function called RereferCheck. This should be RefererCheck, or better, ReferrerCheck.
I don't mean to make any enemies with this last section, I'm sure we'll agree that CuteNews makes a more serious impression if it has valid language. I don't think these are major issues or anything, still worth mentioning IMHO.