WTS SphereWeb CMS

[Logan22]

Hello guys,
I’d like to introduce your audience to my original project, which has gained popularity in Europe and among the Russian-speaking community.
I just never got around to posting about it here until now.

At one point, I wanted to develop a launcher (game file downloader) in the browser, and that idea eventually evolved into a full-fledged CMS engine with extensive functionality.

SphereWeb is a massive ecosystem for Lineage 2 JAVA servers, packed with everything a server administrator and players might need.
From October 2024 to April 24, 2025, my project has been installed on 250 different domains.
SphereWeb is your best choice — a modern web engine designed specifically for administrators of Lineage 2 Java game servers.
It offers a rich and user-friendly interface for managing your server with ease.

Player Control Panel – covers all player needs:
Authorization, registration, password change, account linking and synchronization, contacting the admin via support system, teleporting a character (and sending items to warehouse) to a town, warehouse management (sending items in-game), and making server donations.

Admin Control Panel – opens up new horizons, giving you access to:

• Extensive panel customization (more on this later)

• Donation history with charts

• News and page creation

• Stream management (add streams)

• Item shop creation

• Starter packs creation

• Bonus code generation

• XenForo news integration

• Email message settings

• Global activity log

• Traffic insights (track where your users come from)

• Extensions section (plugins – more on that later)

• Server management

• Auto software updates

• Tech support

• Custom translations

Now, about the Control Panel settings:
The standard settings are organized into several tabs:

1. Language
   There are 5 available languages: Russian, English, Spanish, Portuguese, and Greek, covering 99% of translation needs. You can also set a default language for the panel.
   
    

2. Features
   Toggle built-in features of the control panel: News, Shop, Balance, Statistics, Support, Balance Transfer, Bonus Code, Streams, Data Emulation.
   Enable/disable options to keep the panel clean and focused on what you need.

3. Captcha
   Support for Google reCAPTCHA, Cloudflare Turnstile, or default hCaptcha.
   Old-school recommendation: use Google reCAPTCHA v2.

4. Fake Online Boosting
   Basic settings for boosting the online counter.

5. Registration Settings
   Configuration options for the registration process.

6. Email
   Connect your panel to an SMTP server.

7. Misc
   General-purpose settings and adjustments.

8. Template
   Choose and preview the design template for your landing page.

9. Logo
   Upload your control panel logo and favicon.

10. Palette
    Customize the color scheme of your control panel interface.

11. Menu
    Add links to your site’s navigation menu.

12. Background
    Upload high-resolution background images for login, registration, and password recovery pages.

13. Notifications
    Set up Telegram notifications for selected events.

In Sphere 2, I’ve paid special attention to plugins, making it easy to add and expand functionality.
By default, the panel includes several built-in extensions (plugins).
 

1. Giveaway – allows you to host item giveaways for users directly on the website.
   

2. Internal Forum – a built-in forum system inside the Control Panel (more details on it below).
   

3. Launcher – a free solution for updating game files. It delivers unmatched speed and runs directly in the browser, allowing full design customization.
   

4. Traders – (currently for Lucera2 only) displays a list of offline shops, their items, prices, and player locations directly on the website.
   

5. Roulette – a fun game where users spin the wheel to win items.
   

6. Item Editor – a tool for creating custom in-game items.

7. Item Increase – tracks and displays item count by ID across the server in graph form, showing which players hold the most.

8. Registration Statistics – a simple chart showing registration trends over time.
   

9. SQL Collection – a plugin for adding or adjusting Java server builds if your current build isn’t supported or needs customization.

---

Supported Java Server Builds

The system currently supports a variety of popular Java server builds. Full list available in the admin panel.

---

Forum Plugin

In the first version of Sphere, a basic internal forum was quite popular among server admins — so in Sphere 2, it came back better than ever.

Inspired by XenForo, the forum is rich in features and designed for both community and solo players:

• Players can create clan communities to connect and play together.

• Clan creators can upload clan logos and header banners, customize text color for the clan name.

• Clan members can post on the public clan wall or chat in a dedicated clan chat.

• Clan logos and banners appear across the forum for all members.

For players who like to show off:

• Under each username, the forum can display PvP/PK stats, in-game time, and character list.

• Players can choose to hide this data if they prefer privacy.

Admins can assign moderator roles to users for specific forum sections, ensuring proper content management and community moderation.
 

Donations & Rewards

The administrator has a wide range of reward settings for player donations — almost every suggested method has been implemented:

1. Cumulative discount system – discounts increase as the total donation amount grows.

2. One-time bonus – an extra reward for a specific donation.

3. Permanent shop discounts – based on the player's total donation history.

4. One-time item shop discounts – also based on total donations.

5. Item-based rewards – configurable rewards delivered automatically after donation.
   

---

Supported Payment Systems

(Current list is available in the admin panel and may vary by region.)

---

SphereWeb Auto-Update System

Sphere is actively developed — I improve it almost daily. To ensure everyone stays updated, I’ve implemented multiple update methods:

1. Automatic – once I push updates to GitHub, they are downloaded to Sphere clients within 5 minutes.

   Note: This may fail due to write permission issues, hence the alternative methods.

2. Manual – if automatic updates are disabled or your site was offline during update release, you can trigger the update manually with one click.

3. File Scanner – this feature scans your Sphere installation, compares files with the latest version, and shows missing or modified files you can restore.
   

---

Control Panel Screenshots

(Here you’d typically show screenshots or say where they can be found.)





 

---

Final Words

A lot of work has gone into this project. I occasionally post updates in the Sphere Telegram channel — when I don’t forget.
I’m truly proud of the results.

---

Want to Install It?

Before you rush in, please note:

• Installation won’t work on localhost.

• A valid SSL certificate is required.

• Repo: GitHub - Cannabytes/SphereWeb2

• Upload the archive to your hosting.

• Open your website in the browser — the installer will guide you.

Some Russian hosting providers block wide IP ranges, which may interfere with installation.

---

Pricing

Three usage plans available:

• Free – limited to 20 game account registrations per day.

• $12.5/month – no Sphere limitations.

• $20/month – no Sphere limitations + access to all commercial plugins.

Your balance is shown in the admin panel, and you can renew access anytime.

All users receive updates, regardless of subscription tier.

A lot of work has been done, and from time to time I share updates in the Sphere Telegram channel — when I don’t forget.
I’m truly proud of what I’ve built.

---

Did you like it? Want to install it yourself?
Please note — you won’t be able to install it on a local server.
A valid SSL certificate is also required.

Steps to install:

1. Download the package from the GitHub repository: Cannabytes/SphereWeb2

2. Extract the archive on your hosting.

Open your website in a browser — the installer will launch automatically. Just follow the instructions.

Minimum Requirements:

• PHP 8.2

• MariaDB or MySQL 5.8

• SSL certificate for your website

---

 

Pricing

SphereWeb offers 3 usage options:

1. Free Plan – limited to 20 game account registrations per day.
2. $12.5/month – no limitations, full access to Sphere features.
3. 3. $20/month – no limitations + access to all commercial plugins.
   Your current balance is shown in the admin panel, and you can renew your license whenever you wish. Regardless of your plan, you will always receive updates.

• Latest Updates:

1. User Registration Source Tracking:
   Now, when a user registers, you can see where they came from before landing on the site via Telegram notifications.

2. Bulk Deletion of Bonus Codes:
   Added functionality to bulk delete bonus codes for better management.

3. Starter Pack Editor:
   A new editor for creating and managing starter packs is now available.

4. Item Removal from Warehouse:
   Admins can now remove items from a user's warehouse.

5. Server-Specific Settings:
   Each server now has a "Functions" button, providing additional customization options for each server.

6. Warehouse Cleanup:
   Admins can now clear the warehouse for all users or by specific item ID.

7. Custom Return Button:
   The "Return to Site" button can now be disabled, and you can set a custom link for it.

8. Character List UI Overhaul:
   The character list in the admin panel has been redesigned to be more minimalist and user-friendly.

9. User Info Page Improvements:
   The user information page has been enhanced for better navigation and access to key data.

10. Donation History Updates:
    The donation history page has been improved for better data presentation.

11. Item Stacking and Splitting:
    Users can now stack or split identical items (e.g., ID 57 (150) + ID 150 = ID 57 (300)). Admins can configure which items can be stacked and split.

12. Account Deletion:
    Users now have the option to delete their own accounts from the account list.

13. Success Chest Plugin:
    A new "Success Chest" plugin has been added, allowing admins to define chests with specific items, their prices, and visual parameters.

14. Reworked Warehouse:
    The warehouse now operates in a separate modal window. When items are purchased, they are automatically added to the warehouse without page reloads.

15. Registration Reward:
    Admins now have the ability to reward users for registration, adding more incentives.

16. Item Stacking and Splitting Customization:
    Admins can now specify which items players can split and stack in their warehouse. These settings are available in the admin panel under the server's "Functions" button, offering granular control over item management.

17. Account Deletion Feature:
    Players now have the ability to remove their accounts from the account list (but not from the server). In the future, this feature will be customizable for each server.

18. Success Chest Plugin:
    A new "Success Chest" plugin has been added, allowing admins to define the items inside the chest. Players can then randomly draw one item from the chest. This feature is still in early testing, and any feedback or issues will be addressed in future updates.

19. Improved Warehouse/Inventory:
    The warehouse/inventory system has been enhanced. Now, when items (such as starter packs or chests) are purchased, they are immediately added to the warehouse without requiring a page refresh. Additionally, the modal window for the warehouse now opens when the warehouse button is clicked with the mouse wheel.

20. Log Sorting by Server:
    Logs now include the ability to sort by server, making it easier to manage and review data for each individual server.

21. Registration Source Tracking:
    Telegram notifications now include information about where a user came from before registering on your site.

22. Bulk Deletion of Bonus Codes:
    Admins can now bulk delete server-specific bonus codes, as well as bonus codes that were generated for all servers.

23. Customizable Starter Packs:
    A new option has been added to modify and customize starter packs, giving more flexibility to server admins.

24. Item Removal from Warehouse in Profile:
    Admins can now remove items from a user's warehouse directly from their profile.

25. "Functions" Button in Admin Panel:
    A new "Functions" button has been added to the admin panel, offering additional tools for server management. This includes the ability to clear the server’s warehouse entirely or by specific item ID.

26. Disabling the "Return to Site" Button:
    Under Admin Panel -> Settings -> Miscellaneous, there is now an option to disable the "Return to Site" button in the site menu

Edited April 24 by Logan22

[Nightw0lf]

 

// Saw this drop on a cheat forum, cracked knuckles, ready to tear it apart.  
// Then I peeked inside... bro. So much work, yet so little care.   
// You're charging $12.5/$20 for a ticking time bomb?  
// curl with hardcoded 'BoberKurwa' that's not protection, that's a meme.  
// Wasn’t even a challenge just a graveyard of dead code and duct tape.  
// Feels like someone copy-pasted from PHP 5.4 dreams into an 8.1 nightmare.  
// Broken English, Russian leftovers, Frankenstein methods...  
// Do yourself a favor and get into a real dev team and learn how code breathes.  
// I will leave it at that and not exposing more *is* the real favor.

 

[Logan22]

  On 4/25/2025 at 9:33 AM, Nightw0lf said:

 

// Saw this drop on a cheat forum, cracked knuckles, ready to tear it apart.  
// Then I peeked inside... bro. So much work, yet so little care.   
// You're charging $12.5/$20 for a ticking time bomb?  
// curl with hardcoded 'BoberKurwa' that's not protection, that's a meme.  
// Wasn’t even a challenge just a graveyard of dead code and duct tape.  
// Feels like someone copy-pasted from PHP 5.4 dreams into an 8.1 nightmare.  
// Broken English, Russian leftovers, Frankenstein methods...  
// Do yourself a favor and get into a real dev team and learn how code breathes.  
// I will leave it at that and not exposing more *is* the real favor.

 

Expand  

You wrote complete nonsense. Everything you said is utter rubbish from someone who doesn’t understand a thing.

As for the ticking time bomb — go ahead and try to prove it. No one has managed so far, and trust me, there’ve been plenty of “smart guys” before you.

 

 

[Nightw0lf]

When a conversation loses its direction and turns into pointless justifications, maybe the problem isn't who's right it's who's insecure. The phrase "there is nothing for me to prove" shows confidence or indifference. But let’s look at it in PHP.

class Logan22 {
    public bool $hasSomethingToProve = false;
    public string $communicationMode = 'normal';
    public bool $usesChatGPT = false;

    public function respond(string $input): string {
        if (str_contains($input, 'prove')) {
            return "I have nothing to prove.";
        }

        if (str_contains($input, 'defensive')) {
            $this->communicationMode = 'defensive';
            return "You got defensive – did something feel threatening?";
        }

        if (str_contains($input, 'ChatGPT')) {
            $this->usesChatGPT = true;
            return "Yes, I use it for speed, accuracy, and because my spelling sucks.";
        }

        return "What did you just say again?";
    }
}

 

[Logan22]

  On 4/25/2025 at 4:24 PM, Nightw0lf said:

When a conversation loses its direction and turns into pointless justifications, maybe the problem isn't who's right it's who's insecure. The phrase "there is nothing for me to prove" shows confidence or indifference. But let’s look at it in PHP.

class Logan22 {
    public bool $hasSomethingToProve = false;
    public string $communicationMode = 'normal';
    public bool $usesChatGPT = false;

    public function respond(string $input): string {
        if (str_contains($input, 'prove')) {
            return "I have nothing to prove.";
        }

        if (str_contains($input, 'defensive')) {
            $this->communicationMode = 'defensive';
            return "You got defensive – did something feel threatening?";
        }

        if (str_contains($input, 'ChatGPT')) {
            $this->usesChatGPT = true;
            return "Yes, I use it for speed, accuracy, and because my spelling sucks.";
        }

        return "What did you just say again?";
    }
}

 

Expand  

 

You were talking about security — I want you to prove that it's actually insecure, try to hack it or something.

You're just talking without any evidence, and that's not right.

Without the personal key that's generated for each site, you can't do anything. And by the way, boberKurwa isn't even used — it's a joke, and you totally fell for it.

You're being very unconstructive.

I appreciate criticism based on facts, and here's a fact: Sphere 2 has been running publicly since October, and there haven't been any successful hacking attempts.

If you doubt that, go ahead and prove me

wrong.

 

[Nightw0lf]

The hardest part for anyone is to reverse engineer your server but you're handing the code out for free. At that point, there's no real challenge.

  Quote

Security through obscurity rule.

Expand  

 

you want facts?
 

public function __construct(?int $userId = null)
    {
        if ($userId == null) {
            return $this;
        }
// you know that constructs does not return values in php?

 

just 1 file bad code.

 

you want to be hacked? show your customers websites that run that code

167.235.*.*

api.spherewe*****

stop writing chatgt, and dont challenge me again i tried to help you, but if you want me i can share everything even guide users how to hack every client you have even your server

[Logan22]

  On 4/26/2025 at 7:36 AM, Nightw0lf said:

The hardest part for anyone is to reverse engineer your server but you're handing the code out for free. At that point, there's no real challenge.

  Quote

Security through obscurity rule.

Expand  

Expand  

You're talking complete nonsense. The source code of SphereAPI, which handles all requests, is closed and has never been published anywhere.

 

 

  On 4/26/2025 at 7:36 AM, Nightw0lf said:

// you know that constructs does not return values in php?

Expand  

That return $this doesn't affect anything, PHP just ignores it. Why are you showing it?

 

 

  On 4/26/2025 at 7:36 AM, Nightw0lf said:

you want to be hacked? show your customers websites that run that code

167.235.*.*

api.spherewe*****

stop writing chatgt, and dont challenge me again i tried to help you, but if you want me i can share everything even guide users how to hack every client you have even your server

Expand  

Yes, of course I want that, and I’m asking you — go ahead and hack it, I’d even be thankful. The most you can probably do is launch a DDoS attack, but that’s not hacking. The IP you see is just a public one, used by default to handle requests. There are many other IPs involved, which aren’t disclosed for privacy reasons.
So, when should I expect your hacker attack?
If you fail, it means you talked big for nothing. I hope you're not all talk and can actually back up your words.

UPD: To make your task easier, I have disabled limits on incorrect and failed requests, so your site/IP won't get blocked.

Edited April 26 by Logan22

[Nightw0lf]

  On 4/26/2025 at 8:42 AM, Logan22 said:

That return $this doesn't affect anything, PHP just ignores it. Why are you showing it?

Expand  

https://github.com/Cannabytes/SphereWeb2/commit/38d76437bec8cf082564cdd5c7ead03019d4bcaf#diff-6a3a65cebb7e157f8baa017cb119bef804a5a603c2789f764c78b2e7af672b2b

not even a mention to your mentor

https://prnt.sc/wug1fMXXRY5y

now fix this
 

ini_set('error_log', __DIR__ . '/errors.txt');
// txt files can be read from the hacker and use errors against your code

 

[Logan22]

  On 4/28/2025 at 5:50 AM, Nightw0lf said:

https://github.com/Cannabytes/SphereWeb2/commit/38d76437bec8cf082564cdd5c7ead03019d4bcaf#diff-6a3a65cebb7e157f8baa017cb119bef804a5a603c2789f764c78b2e7af672b2b

not even a mention to your mentor

https://prnt.sc/wug1fMXXRY5y

now fix this
 

ini_set('error_log', __DIR__ . '/errors.txt');
// txt files can be read from the hacker and use errors against your code

 

Expand  

Kacker I need this for tracking and fixing errors.

So, what's up with the hacking? You said so many words, I've been waiting for so long, and still nothing . I demand results. While you're nitpicking the syntax, I'm still waiting for my server to get hacked .

Maybe I should help you with that?

[Seamless]

Dude, seriously , how are you okay with publishing something like this as a public repo? I spent just 30 minutes reviewing your source code and already managed to bypass your API wall on the admin routes.

You really need to rethink your server to client logic. What's the point of saving data both to your API and to the user's database? You first fetch the servers from your API and then save them to the database. What’s stopping someone from simply fetching their server data directly from the database and bypassing all the API logic?

The client you provide as a public repo should only act as a wrapper around your service API and that's it. The API should handle all the logic, including connecting to the corresponding servers based on  authentication key requests and so on.

I don't even want to get started on the fact that your codebase is a complete mess...... unused variables  everywhere, empty classes, and zero input validation. Anyone can pass whatever payload they want without restrictions.

You seriously need to fix these issues before some poor guy who has no idea ends up buying your service.
And don’t even start with "I'm still waiting for my server to get hacked" because  no one is going to waste time trying to hack something that's not even worth the effort. just by checking this im 90% confident someone can find something. 
Also, you claim that 250 domains are already using your service? I seriously doubt that.  

also LOL 

 

  Quote

$headers = [
    'Content-Type: application/json',
    'Authorization: BoberKurwa',
];

Expand  

Edited April 28 by Seamless

[Nightw0lf]

  On 4/28/2025 at 2:08 PM, Seamless said:

zero input validation

Expand  

i saw somewhere that: $var = (int) $_POST['some_id'] ?? string::error_class('text');
it was when i gave up and deleted the sources

let him, he does not even understand what cross site or mitm means

 

  On 4/28/2025 at 2:08 PM, Seamless said:

Also, you claim that 250 domains are already using your service? I seriously doubt that.  

Expand  

  On 4/28/2025 at 10:15 AM, Logan22 said:

Kacker I need this for tracking and fixing errors.

So, what's up with the hacking? You said so many words, I've been waiting for so long, and still nothing . I demand results. While you're nitpicking the syntax, I'm still waiting for my server to get hacked .

Maybe I should help you with that?

Expand  

still waiting for any client of yours so i can play with them

 

 

DUDE IM GONNA CALL YOU BoberKurwa FROM NOW ON!!

rename your account aswell! BoberKurwa!

 

Note: what happend to your chatgpt answers boberkurwa did your subscription of $12.5/$20 ended?

 

  On 4/28/2025 at 2:08 PM, Seamless said:

your codebase is a complete mess.

Expand  

it is PSR12 standard

[Logan22]

  On 4/28/2025 at 2:08 PM, Seamless said:

Dude, seriously , how are you okay with publishing something like this as a public repo? I spent just 30 minutes reviewing your source code and already managed to bypass your API wall on the admin routes.

You really need to rethink your server to client logic. What's the point of saving data both to your API and to the user's database? You first fetch the servers from your API and then save them to the database. What’s stopping someone from simply fetching their server data directly from the database and bypassing all the API logic?

The client you provide as a public repo should only act as a wrapper around your service API and that's it. The API should handle all the logic, including connecting to the corresponding servers based on  authentication key requests and so on.

I don't even want to get started on the fact that your codebase is a complete mess...... unused variables  everywhere, empty classes, and zero input validation. Anyone can pass whatever payload they want without restrictions.

You seriously need to fix these issues before some poor guy who has no idea ends up buying your service.
And don’t even start with "I'm still waiting for my server to get hacked" because  no one is going to waste time trying to hack something that's not even worth the effort. just by checking this im 90% confident someone can find something. 
Also, you claim that 250 domains are already using your service? I seriously doubt that.  

also LOL 

 

Expand  

That's exactly how it’s designed — everything important is handled on the API server side, for example, processing requests to the game server. Each website has its own token/key for authentication; without it, there will be no interaction with the game server.

Some data can be stored both on my side and on the server side to avoid making frequent requests to the server, which is logical.

 

Yes, there’s a lot of old, unused code that just needs to be cleaned up. It was used before, but after major rewrites it was left lying around. It doesn’t interfere with anything — it’s just there and doesn’t affect the system's operation.

 

Beaver meme kurwa is my favorite.

Unfortunately, you don't know Russian — otherwise, you would’ve spotted even more Easter eggs.

 

I said it’s been installed over 250 times on different domains. You can join my Telegram, there are almost 200 people there — and those are just the ones who entered the chat — and we’ll have a good laugh together at your doubts!

Edited April 28 by Logan22

[Celestine]

@Logan22 Are you logan from mmo-dev forum?

[Splicho]

Why the fuck would u implement russian / polak memes into a codebase a customer uses..

 

Jesus christ grow up

[Nightw0lf]

BoberKurwa: I have the best security

People: No you dont

BoberKurwa: Hack me if you can
BoberKurwa: you suck by the way

  On 4/28/2025 at 2:50 PM, Nightw0lf said:

i saw somewhere that: $var = (int) $_POST['some_id'] ?? string::error_class('text');

Expand  

https://prnt.sc/CXP7shjstc43

 

 

 

 

People: BoberKurwa

BoberKurwa: You ALL SUCK MY PROJECT IS THE BEST YOU CANT HACK IT

People: you have no security

 

https://prnt.sc/BjLkJ5WO1Pzn

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

BoberKurwa

  On 4/25/2025 at 9:33 AM, Nightw0lf said:

// Broken English, Russian leftovers, Frankenstein methods...  

Expand  

https://prnt.sc/_jkOQfsPqUzu

https://prnt.sc/nyJ8X4eubtAH

Edited April 29 by Nightw0lf