2. News - PHP CMS Web dev

News

February 2024 - bug fix release

SCHLIX CMS v2.2.8-2 has been released. List of fixes:

  • PHP version 8.2, 8.3 and 5.6 compatibility fixes. It's still compatible with PHP 7.x as well. Please note that while we try to maintain compatibility even with PHP 5.6 (which was released 10 years ago in 2014), may not be guaranteed to be v5.6 compatible next year.
  • Fix for a low-risk SQL injection bug in the Configuration section. Thanks to devious.ch for reporting this. This is considered lower risk as it still requires an administrator privilege to execute it.
  • JQuery - updated to v3.7.1
  • PHPMailer - updated to v6.9.1

To upgrade your existing installation, simply click Settings - System Update.

CVE-2022-45544 for SCHLIX CMS v2.2.7-2 is FALSE

The following is a response to CVE-2022-45544 (2022-11-09) authored by Francisco Marinho, who claimed that there is an "Insecure Permission vulnerability in Schlix Web Inc SCHLIX CMS 2.2.7-2 [that] allows attacker to upload arbitrary files and execute arbitrary code." The analysis is incorrect due to the following reasons:

  1. You need an admin access and his proof of concept didn't demonstrate any unauthorized access to the Theme Manager within SCHLIX CMS.
  2. If you write a piece of code in the theme's index.php (e.g. system($_GET['tristao']) ) and upload it, of course you can execute it. In any PHP-based CMS where PHP code is allowed in the theme, you can write anything you want, including system ("rm -rf /") and this is NOT AN ERROR and there is NO UNEXPECTED BEHAVIOUR. You can test this with other PHP-based CMS such as Wordpress, Joomla, or Drupal and the behaviour is identical and this is NOT a vulnerability. If you want to disable a certain PHP function deemed dangerous, do it with disable_functions in php.ini.
  3. There is already a warning in the upload form that you should upload only from a trusted source. We're not responsible for any vulnerability caused by 3rd party plugins. See the second screenshot below.

Francisco's proof of concept, as described in https://github.com/tristao-marinho/CVE-2022-45544/blob/main/README.md and https://www.youtube.com/watch?v=_0X6AzXmhrU, is as follows:

  1. Login with your account
  2. Access the directory in url http://[examplewebsite].com/admin/app/core.thememanager
  3. Download theme Superhero in https://www.schlix.com/extensions.releases/action/download/filename/theme_superhero-1.1.zip
  4. Unzip theme_superhero-1.1.zip
  5. Edit file in path superhero/themes/superhero/index.php, adding "system($_GET['tristao']);" on line three.
    • Our response: You can add any code here because it's a PHP script. You can execute system ("rm -rf /") or whatever and it will call the system(...) function unless you disable it via php.ini

      Incorrect POC
  6. Zip theme_superhero-1.1.zip
  7. Click in "INSTALL A PACKAGE"
    • Our response: It prompts for the admin password again and there is a warning to upload files only from a trusted source and that we're not responsible for any security vulnerability caused by 3rd party plugins. This is why we put the warning here. People who have access to this are usually web developers who know what they're doing.

      Upload stage of invalid POC
  8. Upload theme_superhero-1.1.zip
  9. Active theme superhero
  10. Acess homepage index.php
    Our response: You are an admin of this website and you put an arbitrary code in the theme file, which is index.php, and you should be able to execute it. This behaviour is the same whether you use Wordpress, Drupal, Joomla, or SCHLIX CMS.
    Sample output of incorrect analysis - CVE-20222-45544

Not only the analysis is faulty and demonstrated a lack of due dilligence and programming knowledge on the so called "pentester" part, we weren't even contacted to verify his claim, which is usually the standard procedure for reporting a vulnerability. We have dealt with much more professional and knowledgable individuals in the past and we will acknowledge if there is a vulnerability, but Francisco's analysis for CVE-2022-45544 is completely faulty.

It's best for security researchers to contact us first to validate a vulnerability before publishing it.

January 2023 Update - SCHLIX CMS v2.2.8 release with GPLv3 license

C

SCHLIX CMS v2.2.8 has been released with the following changes:

  • License has been changed to GPLv3
  • Fixed a few PHP 8.1 compatibility issues
  • JQuery, PHPMailer and HTMLPurifier have been updated to the latest version
  • A few bug fixes

PHP8.0 compatibility release - v2.2.6

SCHLIX CMS v2.2.6 has been released and it is the first release of 2021 with major focus on the new PHP 8.0 compatibility.

With the v2.2.6 release, the core SCHLIX content management system will be compatible with PHP from version 5.6 to 8.0. However, this may not always be the case with its add-ons (especially if it uses composer), which are not always developed in house.

There could a secondary compatibility release in February or March once we've completed further testing with the next release of PHP 8.0.x. The main issue for the current PHP version (8.0.0) is the incompatibility if the JIT is enabled (off by default). Please note that during our testing, we encountered segmentation fault as described in https://bugs.php.net/bug.php?id=80480. Other than this issue, everything else seems to works.

Time to upgrade again - SCHLIX CMS v2.2.5 has been released with support for OAUTH2-based email authentication

SCHLIX CMS v2.2.5 has been released and it has a new feature: support for SMTP authentication with OAUTH2, which is needed if you use SMTP servers of Google Workspace/GSuite or Outlook.com/Office365. You can read more about how to set it up in here: https://www.schlix.com/documentation/v2/configuration/using-gmail-as-the-default-smtp-server.html. Other than this feature, the new version also contains many updates including:

  • New constant SCHLIX_DEFAULT_CA_BUNDLE containing the path location /system/libs/data/ca-bundle/ca-bundle.pem, which is the most up-to-date certificate authority bundle file in the current release. This is necessary as the default file location varies among different operating systems. This is also needed for some of the shipping & payment plugins of Shoperatus.
  • Support for Samesite Cookie = None for different browsers
  • A more descriptive error for session timeout for AJAX requests
  • Fixed: SMTP settings error when changing the SSL option in Site Manager
  • Fixed: Initial menu base path settings
  • Updated - CKEditor 4.11 to 4.15
  • Updated - Bootstrap 4.3.1 to 4.5.2
  • Updated - TinyMCE 4.9.2 to 4.9.8
  • Updated - CodeMirror 5.25 to 5.57
  • Updated - PHPMailer 6.1.4 to 6.1.7
  • Updated - Fontawesome Free 5.11.2 to 5.15.1

Screenshot of the SMTP OAuth test:

GMail SMTP OAUTH2 settings test

To upgrade your existing installation, simply click Settings - System Update.

First BETA release of Shoperatus v0.9 (e-commerce for SCHLIX CMS)

As planned earlier, we finally released the first generally available e-commerce for SCHLIX CMS for the first time. We were a few days behind our schedule (we were supposed to have released this last Friday) but it's finally here. The first Shoperatus v0.9 BETA has been released. Please note that in order to use this, you must have already have ionCube loader on the server (or on your local workstation).The good news is 99% of PHP web hosting companies have ionCube loader pre-installed by default. 

Unlike SCHLIX CMS, which source is pretty much open, Shoperatus is a closed source software. However, you can still edit and customize the view templates as with other SCHLIX CMS extensions we previously released. The platform itself is still open so that you will be able to create your own payment, shipping and other types of plugins. We will also publish documentation and training manual for this. Since this is the first day of the beta release, not much documentation is available yet, but we're working on it. Note that although Shoperatus is the generally available e-commerce extension, there has been another e-commerce extensions of SCHLIX CMS with slightly different purpose since 2018 but it's only available to commercial clients. You can see this on the demo/showcase screenshot of this website.

Some of the shipping plugins in the screenshots such as AsiaXpress, SpeedPost, IndiaPost and ThailandPost as well as a couple of payment plugins (Xendit - token and Moneris hosted tokenization) will only be available with a commercial license. Note - the free version of Xendit and Moneris hosted payment page are just as good for starters.

We will also release most commonly used shipping plugins such as Purolator, DHL, Fedex and USPS soon.

E-commerce for SCHLIX CMS (PHP/MySQL)

E-commerce extension progress update (September 2020)

We've almost completed the development of the e-commerce extension for SCHLIX, with internal code schtore. This is an update to the previous post back in May 2020. Last week, all features have been finalized and frozen and we're going to release the first beta version in about two weeks from now.

Expected timeline

  • Between September 13 - 18, 2020: first beta release
  • End of September/early October 2020: final release (as extension, fully usable)
  • Mid-Late October 2020: additional shipping options: USPS (America), Fedex, DHL, UPS, Purolator, British Royal Mail will be available.
  • December 2020/January 2021: automated refund, dashboard - integrated with our mapping server.
  • 2021: gift card, store credit, subscription

Current features (frozen as of August 27)

  • E-commerce catalog with multiple images (dynamic image size can be set in the config section).
    • One product can be assigned to multiple categories.
    • Product specifications (each sub-variant has a unique URL)
    • Product variance
    • CTO (Configure-to-order) product options
    • Each product can be optionally assigned a product type. You can assign only 1 product type per product. If you want to have multiple product types per product, use the category (folder) instead of product type sub-application.
    • Downloadable materials attached to product and/or product type (e.g. PDF warranty statements for all product).
  • 127 tax rules for different countries, automatic setup
  • Country, state/province, city database - this is different from most e-commerce as the city input is free-text.
  • Discount - % or fixed.
  • Coupon - must be attached to product for the initial release. We will enable store coupons later.
  • Payment plugins (alphabetical order): Alipay, BluePay (CardConnect), Braintree, G2APay, Midtrans, Moneris, Paypal, Stripe, 2Checkout, Xendit. Offline payments are supported as well (bank cheque, wire transfer, Interac e-Transfer). Note: the available Moneris payments are for Canadian merchants only. We can build the US one as well if there's a request.
  • Shipping plugins (alphabetical order): AsiaXpress, Australia Post, Flat Rate, GoSend, Hongkong Post, India Post, Malaysia Post, Pakistan Post, PHLPost, Postmen, RajaOngkir, Singapore Post, SpeedPost Singapore and Thailand Post
  • All transactions are logged.
  • Security: we test for basic XSS and SQL injection. XXE (XML injection) prevention is already built-in to SCHLIX CMS.
  • Configurable email templates (must use SCHLIX CMS v2.2.4 or later)

Note: some of the payment & shipping plugins will be commercial release.

Caveats for the first version

  • Reporting will be available in the next release. Information can already be extracted via SQL and we can build add-ons suitable to your needs.
  • No gift card & loyalty point functionality yet - that will be done in 2021 if there's a request.

Here's what schtore looks like as of September 2020:

  1. Catalog - product listing
    SCHLIX E-commerce - Catalog

  2. Catalog - Images
    SCHLIX E-commerce - product images

  3. Product Type - Options (CTO)
    SCHLIX E-commerce - product options

  4. Product type - CTO option choice
    SCHLIX E-commerce - product option choice

  5. Product - Options (CTO)


  6. Config
    SCHLIX E-commerce - config

  7. Payment plugins
    SCHLIX E-commerce - payment plugins (Alipay, Paypal, Braintree, Moneris, Xendit)

  8. Shipping plugins
    SCHLIX E-commerce - shipping plugins

Stay tuned for more info! 😄

SCHLIX CMS v2.2.4 has been released with subtle user experience enhancements

SCHLIX CMS v2.2.4 has been released with a few enhancements:

  • Some icons on the toolbar now have been assigned colour so it's easier for the user to find which toolbar button to click.
  • The datetime picker is now a lot more user friendly. Previously, the calendar would pop up automatically whenever the user clicks a datetime input. This behavious has now been changed to requiring the user to click the handle bar if the datetime picker needs to be used. With this behaviour change, it's easier for the user to type freely on the input box without the datetime picker getting in the way.
  • There are various other internal changes as well and this will be  the minimum version required to run SCHLIX CMS e-commerce extension when we release it next month (we'll release the beta version in 2 weeks)

SCHLIX CMS v2.2.4

SCHLIX CMS v2.2.3-1 is now available

SCHLIX CMS v2.2.3-1 has been released. This is a minor update release that fixes a few minor bugs and typos. We are still developing the Schtore e-commerce extension (will be done in September) and this update is required before the extension can be used.

  • Some highlights:
  • Visual - menu appearance on the backend admin
  • Composer packages can now be installed (comand line option has been removed). Please note that PHAR is required
  • PHP 8.0 compatibility issue (str_contains, str_starts_with, str_ends_with)
  • For developers:
    • cmsCurl and cmsXMLTool class. This is used to handle web service calls for the upcoming e-commerce extension, mostly for payment and shipping.
    • Javascript class ___$HTML and ___$INPUT to create html string tags programmatically. SCHLIX.Util.escapeHTML now has a shortcut ___h, similar to the PHP one.

May 2020 update - Schtore e-commerce extension release delay and COVID-19

Greetings,

It has been a little over 3 months since we last released v2.2.2-1 in late January and we finally had the chance to provide some news. First of all, we'd like to apologize for the slower responses for forum replies as well as commercial support between February until April. Even though all of our team members have already been working remotely since 2 years ago, the "new normal" still required some adjustments. COVID-19 took us by surpise and we were scrambling for alternative arrangements for many things, so work stopped for nearly 5 weeks and hence we delayed the release of our e-commerce extension (Schtore). Things are somewhat returning to almost normal now and our response time should be better now.

We realize that everyone is in this together and that there are others who experience even more hardship, so back in April we made a small donation of $2020.04 to Boyle Street Community Service, a non-profit organization for the homeless in the city of Edmonton. Homeless people are very vulnerable in this kind of situation and deserve our help.

Schtore

Schtore is our new e-commerce extension. It's quite massive (custom user-defined table fields, 127 tax rules for different countries (including EU), complete list of currencies and countries (down to the city level, user privacy features, etc). Initially, Schtore will contain the following payment plugins:

  • Paypal Express (global)
  • Braintree (global)
  • Stripe (global)
  • Alipay (China)
  • Moneris (we've only tested the Canadian version, not the US version)
  • Xendit (Indonesia) - as requested in the forum

Shipping plugins:

  • Canada Post
  • Postmen
  • Rajaongkir

There's not that many shipping modules when we release it for the first time, but Postmen should cover most of it.

We may need a volunteer who's willing to test our the EU tax rules.

Schtore Beta - screenshot 1

Schtore Beta - screenshot 2

Schtore Beta - screenshot 5

Schtore Beta - screenshot 4

Please note that this is the temporary layout. It may change once we really release this for general public availability.