Hi,
In the login-signup.php, the password length is checked against the hashed password instead of the actual password:

 96: $signup_password = password_hash($signup_password_var, PASSWORD_BCRYPT, $options);
134: }elseif(strlen($signup_password) < 6){
135:    echo "<p class='alertRed'>".lang('password_short').".</p>";

To fix this issue, check the password length against the unhashed string. Due to this issue, users can now register with a password with less than 6 chars, making it very easy for attackers to brute-force.

-CS

When I hit logout, the page simply ends the session but doesn't destroy the login cookie. Any fix for that.
You can replicate this issue in the following way:

1. Make two users
2. Edit code in home.php in col3 and add <?php echo $row_username ?> in any empty area
3. Refresh page to get the update and then logout and login using second user.
4. It will show the old username and not the current username.
   PS I'm using that way to get values to auto fill a form and if it doesn't close the cookie, there is no use of it as it will show old user logged values for another user too.

One more issue is, messaging simply doesn't work. Any message you type will come out as '0' and the message won't get displayed.

Lastly an issue with the timing of the report page where the timing gets defaulted to 48 Years.

It would be great if you can suggest a code change to these issues.
Also can you please provide web.config files for the .htaccess files because I have to deploy this project on IIS server.

The project is very beautiful with lots of integration done pre-handed because I was able to use some of the constants you defined for various editing to my custom code.

Thanks
Srivastav

Its possible to overwrite someones posts.
What we only need to know is pid of post which we want to edit.
If we click on post date we will know post pid (pid will be in url param)

Then we need to create our own post, then click edit on our new post and proxy it to BurpSuite.
Then we only need to change pid, massage and send it


We can also edit post visibility by changing pp=Public to pp=Only+me

Chat (messages) are freeze, never show users, cant click nothing

hello.
I am actually very impressed with your work.. but somehow user password will be reset after a few minutes and cant even find what's wrong.
Can.. I know what's wrong?
thanks.

How can I solve this problem? Can you help me? There's a language problem.

wallstant-the-open-source-PHP-social-network-master.zip

Hi
Exist here admin panel or all reports can see all?

ah sorry my bad:

• When you sign up to the first time into your social network, you will be the main admin of website and you can add more admins from Dashboard > users > Edit/Delete .

You created / developed a good copy ( / rip / .. etc.) of some scripts available around net regarding the social network.. BUT your script has a lack of security - a hidden remote access flaw and also a webshell detected by 2-3 antiviruses / defence systems !!
I wonder how GITHUB allows uncertain developers to upload harming scripts.
If you think it is a "mistake".. just try it.. and i upload "the proove"..

Hello... Please how can I set age restrictions and send verification mail to new users to verify their account to know if it has valid mail..

Please trim long post, and if you can limit characters in the post in the admin panel

This issue appears in the website a few seconds after loading the website and the error count increase till the next reloading of the page. Please refer the error below

Failed to load resource: the server responded with a status of 502 (Connection reset by peer)
/includes/fetch_notifybox.php:1

Failed to load resource: the server responded with a status of 502 (Connection reset by peer)
m_requests.php:1

not working your script and that showing message box object Object..
please solve...

please patch your sc

i am get error on sign up

when i sign up i get popup

this pop up give me message [Object object] on signup pages

I've decided that it's time to archive and shut down the project.

I've decided to do this for a number of reasons, here are a few:

• This project built using Pure php and its code is not meets code quality that qualifies it to be a production ready and a lot of issues, because this project was firstly for personal use and was my first project I have completed in my first beginning journey with PHP.
• I lack the motivation to continue to contribute to this project.
• I lack the free time at this point in my life to continue to maintain and develop a project of this scale, and the codebase has languished for a little while already.
• Planning to focus on a real projects that may helps the community and developers with a quality-engineered applications and tools.

I'm going to archive the project shortly, but anyone, of course, is free to fork it and do whatever they please, as this repo will still be available, albeit in read-only mode. I've also locked this issue, as I'm not soliciting input. I've created this for transparency purposes.

Please where is the download link

Hi I am trying to set this Webapp on a Turnkey LAMP stack but I get a strange behavior : the .htaccess file at root directory seems to be not working.

I have made many ajustements :

1. Set AllowOverride to All in /etc/apache2.conf
2. Try setting a RewriteBase arg (/var/www or /) in the .htaccess
3. Try turning off MultiViews in /etc/apache2.conf (figured out it could be the problem)

.htacesss files are working properly in subdirectories. For instance access to /u/username or /toacpnlp/ are working properly ...

Here is an error log for call /signup :
[Mon Nov 23 20:13:06.406880 2020] [rewrite:trace3] [pid 12045] mod_rewrite.c(483): [client 192.168.0.5:63917] 192.168.0.5 - - [192.168.0.26/sid#7fd706eb9ef8][rid#7fd70800f0a0/initial] [perdir /var/www/] strip per-dir prefix: /var/www/signup.php -> signup.php

And here from calling /signup.php (which works fine but the whole webapp has links to none-.php refs) :
[Mon Nov 23 20:16:37.072489 2020] [rewrite:trace3] [pid 12027] mod_rewrite.c(483): [client 192.168.0.5:63997] 192.168.0.5 - - [192.168.0.26/sid#7fd706eb9ef8][rid#7fd707bd40a0/subreq] [perdir /var/www/] strip per-dir prefix: /var/www/signup.php -> signup.php

If anyone could be any help .. Thx a lot

Nothing too fancy, just a place to group/sort certain images into an album so you can find them easier. It's more elegant and easier to navigate too.
@munafio

I like how fast and beautiful it is. But please update more for security.
I could delete every post just replace the ID in Chrome dev tool (inspect element). It's risky.

<a href="javascript:void(0)" onclick="deletePost('1522287978')"><span class="fa fa-trash-o"></span> Delete post</a>

Try replacing with any post ID to 1522287978 .

Server fout!
De server kreeg een interne fout en kon uw vraag niet beantwoorden. De server is overbelast of er was een fout in een CGI script.

Indien u van oordeel bent dat deze server in fout is, gelieve de webmaster te contacteren.

Error 500

Server overloaded or error in a CGI script. At first login

A reflected XSS vulnerability exists in /hashtag/hashtag.php here (lines 19-21):

<head>
    <title><?php echo "Hashtag - ".$_GET['tag'];if($_GET['tag'] == 'search'){echo "Hashtag";} ?> | Wallstant</title>
    <meta charset="UTF-8">

An example URL to exploit said reflected XSS would be:

• http://localhost/hashtag/hashtag.php?tag=%3C/title%3E%3Cscript%3Ealert();%3C/script%3E

Let me know if further details are needed.

Parse error: syntax error, unexpected end of file in E:\xampp\htdocs\Wallstant\includes\head_imports_main.php on line 43

?????

Hello I have an error "error getting posts!

" during the passage in the profile thank you in advance for your answer

Hi first of all thank you for very wonderful project!!

I just want to ask if is it possible to add function like.

1. If someone like a post it displays the NAME of all the people like the post??

2. On the message function. Is it possible to have a CREATE GROUP CHAT? I think that is very useful for the project.

Thank you so much .

Dear Munaf,
When I deployed the site, I come up with the following problem:

Connection failed: SQLSTATE[HY000] [2002] No such file or directory
Fatal error: Call to a member function prepare() on null in /Library/WebServer/Documents/wallstant/config/connect.php on line 31

could you help to solve it?

Best,

Tao

Hi very impress on you're work , And really excited on the v2 did you already upload it sir? Thank you in advance!!

Hello how can i create an add new group/page feature

Thanks for your codding...

Request you to kindly solve the issue, private profile system to public profile system...

Allow guest to see profile and hashtag.

Thanks

Amit

How to access admin dashboard

Every time I create a new Account and try to open an older Account it say sorry this Page isnt Aviable... is there a Fix?

hello sir i got a problem with follow button

Fatal error: Uncaught PDOException: SQLSTATE[HY000]: General error: 1366 Incorrect integer value: '' for column 'id' at row 1 in C:\wamp64\www\wallstant\wallstant\includes\f_action.php on line 51

Hi I have a bug when I upload photos. For example photos in posts or profile picture:

Warning: move_uploaded_file(): Unable to move '/opt/lampp/temp/phpzEnftx' to '../imgs/user_post_img/15895363791294012992.png' in /opt/lampp/htdocs/network/includes/wpost.php on line 75

This CMS has been used in new HTB box, but I am kinda stuck due to fact that it isnt AD and I woke up for it. Do you mind having the chat with the author? :)
Happy Hunting 👍

why the message appears sent always appears 0?

emotions bug .. after updating it indicates an error

When I want to upload a profile photo for example, its position does not match the place of the profile photo

Friends request.. and not Follow. ?
I don't need another twitter... twitter sucks.
I want friend requests.. like your screenshot shows it has.

• So how i do that? friends.. NOT followers...

Hallo,

if I make use of the .htaccess file in the main directory then I be running into a Internal Server Error [no address given]. If I do not use the .htaccess then the script will be shown but the URLs are not working because the PHP extension is missing behind the requested URL. For example: it shows me "home", but it should be "home.php" .

My Server settings are:

Apache, PHP 7.3, SQL 5.7.19, Mod rewrite is on and it also has PDO and I use SSL.
I can not see the error log file because its a shared hosting.

I would be very happy if you try to help me please.
Thanks a lot for You script.
My Domain: https://a-holzer.de/

Kind regards,Andy