42 comments
lifthrasiir · 5 days ago
As who has endured the old Web 1.0 era with PHP, I can immediately see that the author didn't have any benefit of hindsight: no error handling, no XSS protection, no CSRF protection, no atomic file writing, no correct permission in the data directory (which means that some settings are still required depending on your webserver), no real way to change password which is built into admin.php, no constant-time comparison on login, no correct template handling (it may or may not recursively expand included files depending on the order!), unlimited writes to the session even when credentials do not match, and of course no protection against any attempt to use fopen wrappers after login. And the supposed "content" management system doesn't allow any file uploading.

The author needs to be a lot more careful about security at the very least. To be precise, PHP is not the culprit here, but does enable lots of easy ways to make your program immediately insecure due to its interface and one has to learn how to avoid them systematically.

Show replies

pjmlp · 5 days ago
While the effort is welcomed, one has to start somewhere, this is more like a "Hello World CMS".

Show replies

synergy20 · 5 days ago
can i hide all the posts before login,which is what cms good for,else it looks similar to SSG to me,thanks

Show replies

lsh0 · 5 days ago
oh - some of those designs in the examples (quark, 0832) take me back. Pure nostalgia. Thank you.

Show replies

ulrischa · 5 days ago
Nice but calling this a CMS is a little bit over the top

Show replies