Archive for the Joomla Category
During the Joomla Security Bootcamp, in my presentation on cross site scripting, we discovered a serious vulnerability in Joomla 1.5.2 up to 1.5.7. This issue allows an attacker to inject malicious javascript into a Joomla site. Joomlatools reported this issue to the Joomla Security Strike Team on October 4. Later on the issue was also reported on the bug trackerbut, it was removed without explanation. So far no official patch was released, so we have decided to make our own. Normally the Joomla project acts very fast when issues are discovered. It is our hope that a new patched version will be released with this patch as soon as possible.
All Joomla 1.5.x installations are vulnerable.
>
Update: My patch was a bit too extreme: it filtered out perfectly legal html as well. The link above now points to the updated version.
In Joomla 1.5.2, a new set of options was added to the article parameters (see screenshot). These options allow you to set less strict filtering rules for different user groups, allowing for example managers to insert iframes in articles. However, in a default Joomla installation, no user groups are selected by default, meaning that submitted articles are not filtered at all, leaving them open for cross scripting attacks. Proper testing could have avoided this issue. Especially when messing with security, one has to be extra careful. My patch completely removes this feature, for a number of reasons:
Update: If you do not wish to apply to the patch, you can get the same level of protection by changing some settings.
A commenter on Johan’s post about Joomla 1.0′s end-of-life wrote:
“Also its the old argument, why upgrade if its working fine? Why move to 1.5 when 1.0 is working just fine for me and my users? Why move to Vista if XP is working just fine for me and my users.”
I absolutely agree that you don’t need to upgrade when a site is working fine and doing everything you need. However, if a security vulnerability is discovered in Joomla 1.0, and no one fixes it, you are in trouble. So it’s best to upgrade to 1.5 before the expiration date of 1.0.
Software versions are never maintained ad infinitum. Some projects, like Ubuntu, have a strict end-of-life policy for each release. You always know in advance exactly how much time you have to upgrade.
Joomla hasn’t set an official end-of-life date yet for 1.0 (or 1.5 for that matter). This might sound like you still have a lot of time to upgrade, but that might not be the case. Joomla is a volunteer driven open source project. It’s dependent on how much people ‘feel like’ maintaining an older version. I doubt anyone in the project feels like doing a lot of work on 1.0 anymore, so in reality, the lifecycle could already have ended without any of us knowing it.
So that’s why we feel it’s important for the Joomla project to announce an official date for Joomla 1.0′s end-of-life asap. It serves as a promise to the community that until this date, issues will be fixed. We propose March 6, aka 03/06/09. That leaves everyone plenty of time, and it’s an easy date to remember.
It’s up to the community now to speak up: do you agree, do you think it’s too soon, or too late? Are you upgrading to 1.5 or not at all? This way we help the Joomla project to make an informed decision.
At the beginning of the year I predicted that Joomla! would reach it’s turning point in March 2008 based on the download statistics of joomlacode.org.
My prediction turned out to be correct, however it looked like Joomla! 1.0 wasn’t going to give up the fight easily. I concluded that the further uptake for 1.5 would depend on an increase in native and stable extensions and an announcement about the end of life of Joomla! 1.0.
Over the last months the number of new native extensions has been growing rapidly, for August the extensions directory team reported that about 75% of new extensions where native Joomla! 1.5 extensions. A quick search on the extension directory shows that 30% of all component are now Joomla! 1.5 native.
People are also slowly making the switch from Joomla! 1.0 to Joomla! 1.5 only, a good example are the guys over at Yootheme. A while ago they announced they where switching their templates completely to Joomla! 1.5 a few weeks ago they also released ‘teamlog’ a 1.5 native project management extension and from what I have heard there are more extensions on the way.
Let’s have a look at the downloads for the last months and see if we can make any new predictions.
The below graph is showing the monthly download statistics for both Joomla! 1.0 and 1.5.
Conclusions :
What does this tell s about the uptake of Joomla! 1.5 ? For that we need to have a look at the following graph.
Conclusions :
Based on this data I predict that Joomla! 1.0 will be reaching the end of it’s life around the beginning of 2009. Time for the project to bite the bullet and set a date : 03/06/09, or March 6, 2009, 3 years and 6 months after the release of 1.0 seems like the perfect date to me. What do you think ?
When I wrote the post about common Joomla misconceptions, I forgot one myth. A lot of people seem to think all Joomla sites look alike. They’re saying it pushes you to fit a certain design concept. But every now and then you see a site that proves them wrong. In the end, the creativity of the designer is the only limit. You can’t blame your canvas if your painting sucks.
The new “Know Your Rights” website by the United Nations is one such site that shows beautiful Joomla design. People keeping up with the news on the Nooku.org site, probably already saw this, but I felt it was worth cross posting it.
It’s even more amazing when you know that the site was originally made in Flash. This caused some issues: it was hard to make changes, and the languages were hardcoded. It didn’t fit the UN’s workflow. By rebuilding it as a Joomla + Nooku site, they can now easily add languages when the translation is ready.
Did you know you can have a sitemap in your Joomla site without installing any additional extensions?
The menu module already does everything we need: it’s essentially a tree with all the items in the system. All we need to do is make it look like a component.
Got any quick’n'dirty tricks to do cool stuff in Joomla that was never intended to be used that way? Let us know!
Traditionally, Joomla extensions stored all their assets (images, javascript, css, flash files…) inside the extension’s folder. However, because these files are supposed to be publicly accessible, and all other files should stay hidden, that doesn’t really make sense. Fortunately, this was fixed in Joomla 1.5.4. Extensions can now use the /media folder.
Very easy: simply add a media tag in your extension’s manifest file.
Before:
<files folder="site"> <folder>some_folders</folder> <folder>css</folder> <folder>images</folder> <folder>js</folder> <file>index.html</file> <file>mycomp.php</file> </files>
After:
<files folder="site"> <folder>some_folders</folder> <file>mycomp.php</file> </files> <media destination="com_mycomp" folder="media"> <folder>css</folder> <folder>images</folder> <folder>js</folder> <file>index.html</file> </media>
Inside your installable package, you should now have the folders /site and /media. During the extension’s installation, the files from /media will be copied to /media/com_mycomp (or plg_myplugin or mod_mymodule).
Separating publicly accessible assets from the rest of the system like this has some security advantages. Ideally, you’d move all other files below the document root, increasing security. Joomla doesn’t support this yet. What you can do however, is add a htaccess file in /com_mycomp with ‘deny from all‘. This way you don’t need to litter your component with index.html files and defined(‘_JEXEC’) or die(); statements. Of course, this assumes that the end user’s host has AllowOverride turned on.
Joomla! celebrates its third birthday today and I feel it’s an excellent opportunity to look back. The story behind Joomla! is long and rich in detail. There are many perspectives. This is mine.
Note, this text is a re-write of a blog post I did for Joomla!’s first birthday. The blog post has gone lost with recent infrastructure changes at Joomla.org. I decided to re-write and re-publish it.
On the 1st September 2005 Joomla! was born. Some called it a fork. Some called it a spoon . Some call it an entire table setting. Whatever your philosophical persuasion, the facts are that Joomla was a continuation of the work of the Development Team which unanimously resigned from the Mambo project in August 2005 . To my knowledge this was an unique event in the history of open source, never before did a complete project and community move house.
After the actual split we were put in both an exciting and difficult situation. Exciting because we managed, for the first time in history, to re-brand an open source project and move it to a new home. Difficult because this had never been done before. We were writing the blank pages in our own roadbook, one step at a time.
The whole effort also put a lot of strain on the core team. Growing pains that normally emerge over a period of months or years needed to be dealt with in a period of weeks. Community pressure was high, resources needed to be created, a version released, a vibe established, … and above all we needed to keep cool. When looking back three years later I’m still amazed what people can accomplish when they set their minds to it and I’m proud to have been part of writing open source history.
The re-branding of the project was a big succes and Joomla! swiftly made its name in the open source landscape. We managed to establish a clear brand and identity. Despite all our efforts, the re-branding of the product was less succesfull.
‘What’s the difference between Mambo and Joomla ?’ This must have been the most asked question in the months and weeks after the split. A valid question indeed. What is Joomla! 1.0 actually, is it Mambo’s own ‘Lore‘, the missing twin brother, suddenly appearing, or is it a new born product ?
After the split we faced a problem, while Joomla! 1.0 was indeed a re-brand of Mambo it hadn’t established it’s own personality yet. Although it already had a huge user base from it’s birth, to a new user it was still a Mambo copy-cat. Looking and functioning in the same way, the only difference are the logo and name. How does that set Joomla! apart from Mambo? It didn’t.
It became clear that we needed to create a new version soon to show the project was still very much alive and to differentiate ourselves from Mambo. But how did we proceed? Follow the old roadmap or not? Choose for a longer release cycle or would we choose a safer solution by doing a short and quick release? Lot’s of questions, very few answers.
At the time the latter seemed indeed the best approach. The whole team was still there, we could easily pick up development again. International community pressure convinced us to go for a shorter release cycle and put forward internationalisation as the main feature. In October 2005 we picked up development as if nothing had changed.
It would soon become clear that this was a vital mistake. The spooning of the project also left it’s strains on the community and core team. New people were invited, others left, processes needed to put in place and roles shifted. We saw a time of heavy and sometimes heated discussions on the mailing lists and forums about a multitude of problems. Slowly we realised that not only our project name had changed but this also had vast implications on our community structure and processes.
In the months that followed we had quite a struggle to get things rolling. At that time we were dealing with a multitude of issues, mostly surrounding communication and processes. We could have called a time out, stopped all our work and get our issues sorted before moving forward again. Instead we kept going, this resulted in a more natural process and eventually became Joomla! 1.5.
In the mean time community pressure , especially on the forums, increased. People voiced their discontent with the way things where going. Politics always have a negative effect on a community process and Joomla! wasn’t any different. It was only during the summer of 2006 that the working groups where starting to settle in and the project slowly moving into full gear while motivation was increasing.
Joomla! 1.5 was released on the 21st of January 2008. Two years, 3 months and 9 days since the first commit was made the Joomla! project released it’s new baby. Joomla! 1.5 is the result of the process the community went through since the split and personally I think it became an excellent product, one we should all be proud of.
The main drive behind the design of Joomla! 1.5 has been to try and use the Joomla! 1.0 architecture at it’s full extend. We can’t deny that the API’s in 1.0.x where not in line with latest professional coding standards. Most of the API’s where not flexible and not always using proper Object-Oriented principles. These problems had been discussed time and time again in the past and everyone agreed that something needed to be done about it.
In the past these changes have always been put off since they would be coming in a 5.0 version . A version that was started multiple times but never got out of cvs. In order to make the Joomla! codebase more attractive to professional developers we just couldn’t leave it as is.
The development cycle of 1.5 was the ideal time. We used the time it took to properly research the UTF-8 issues and refactor the codebase. We based ourselves on the feedback gathered and the experiences from developing Mambo 4.5.3, a version that we never released. As a result the system has been restructured and the API have been cleaned up resulting in a flexible and powerful core framework that sets new standards for all future Joomla! development.
People sometimes ask, why did you call it 1.5 and not 2.0 ? Well, with Joomla! 1.5 we tried to address all of the issues that could be addressed without compromising backwards compatibility. The main reason we called it 1.5 and not 2.0 is just that, because it is 90% backwards compatible and is using the same database schema as 1.0.
I am writing this because I want to provide a historical perspective on where we are today with Joomla!. A lot has been told about the development of Joomla! since the day it was born. The reality is that the story is bigger than just Joomla!. It goes back years, spans continents, and includes a cast of thousands. It’s a fantastic story, with all of your standard themes — greed, rage, turmoil, love lost. But mostly it’s a story of dedicated people laboring to create something they truly believe in. That’s something I think everyone should be able to relate to – no matter what their walk of life. That’s why Joomla! is so powerful.
For me, the story included the realization that I had never believed in something this much before, and discovering how easily and arbitrarily your dreams could be snatched away. Ultimately though I realized that with some patience and good old-fashioned hard work, anything is possible.
In the coming years, I hope Joomla! will gain the ability to be a crossroads where people can come together and share their thoughts on society and where it is going. Different people have different ideas, and these are borne out in the different extensions that exist. These extensions create the ecosystem that is Joomla!. Whatever project scratches the itch of any particular person, having their contributions and ideas around is beneficial for all projects
Joomla is so successful today that it is gaining attention from people across the globe. Many new contributors are finding the project and new ways to help out. This sort of thing is essential to keep the project vibrant and maintain the flow of innovation. It is important that those of us who’ve been round the block a few times share what came before, what did and did not work. The struggles that were fought, the price that was paid. This project has not been successful by accident. Its success represents the sum total of the energy expended by thousands of people around the world for almost a decade.
Happy birthday to you all !
Today, 08/08/2008, is not only a popular day for getting married, it’s also a great day for the PHP world. PHP4 is no more, it’s expired, it’s pushing up the daisies! PHP4 is an ex-language. From now on, only PHP 5 is supported, the version that turned PHP from an advanced scipting utility into a an enterprise grade, full blown programming language.
When Joomla! 1.5 (called 1.1 at the time) was planned, it was decided to go for PHP4 compatibility, as PHP5 was not being adopted by ISP’s a lot. In retrospect, it would have been better to go for PHP5 right away, but of course, no-one at the time knew it would take two years before Joomla! was ready for release.
Luckily, in a flash of brilliance it was decided to make Joomla! forward compatible with PHP5. By coming up with some clever tricks here and there, adding the proper docblock comments, and having a clean naming convention, J!1.5 turned into an interim release that could bridge the gap between PHP4 and PHP5. The idea was that it then would be easy to refactor to PHP5-only in the next major Joomla! release.
Funnily though, when the time came to plan J!1.6, there was a general reluctance in the development working group to make the move to PHP 5.2, or even to discuss it. It took a couple of nudges from our end, to get the community to speak up and express the dire need to switch. It was great to see how the community really came together to push what it felt was important! In the end it was announced that 1.6 would be for PHP 5.2 only.
At Joomlatools, we knew early on we couldn’t realize all of our plans for Nooku using PHP4. As some people have begun to notice, Nooku is about more than just translations. A big chunk of the code is written in a way that will make it reusable for other extensions. Some of the API concepts and patterns we implemented (mixins, chain of command, inflection, …) wouldn’t have been possible with PHP4. So for us, PHP5 is the only way forward.
IBM Internet Security Systems published it’s X-Force 2008 Mid-Year Trend Statistics report and immediately everyone is going through the roof, publishing scary and sensational headlines about Drupal, WordPress and Joomla! being vulnerable.
What everybody got so upset about, is the following table of Vendors with the Most Vulnerability Disclosures:
| Ranking | Vendor | Disclosures |
|---|---|---|
| 1. | Apple | 3.2% |
| 2. | Joomla! | 2.7% |
| 3. | Microsoft | 2.5% |
| 4. | IBM | 2.3% |
| 5. | Sun | 1.9% |
| 6. | Oracle | 1.4% |
| 7. | Cisco | 1.4% |
| 8. | Drupal | 1.2% |
| 9. | WordPress | 1.1% |
| 10. | Linux | 1.0% |
Time to lock all doors and windows and go back to good ol’ static html? Yes, if you believe some bloggers. But take a closer look: the table lists vendors with the most vulnerability disclosures. It doesn’t list the most vulnerable vendors, and there’s a huge difference. Chances are that the vendors that didn’t make the top ten are actually more vulnerable, but simply have less disclosures. The more people use code and look at it, the more issues will be discovered. That’s why only big names get in the top ten. Joomla! and Drupal are always very quick with security patches, so there’s really no need to panic.
It reminds me of the Belgian dioxine affair a couple of years back. Some eggs and chickens were discovered to contain the toxic dioxine. The press and the public opinion went insane, there was a huge political crisis, and 7 million chickens were destroyed. When it finally blew over, it turned out the dose was less than 100mg and no direct threat to public health. And nobody seemed to get that it was actually good news: If the Belgian food inspection can detect such small amounts of toxics, we can be pretty reassured that our food is safe. The same thing goes for Joomla!: if many issues are discovered and dealt with, the result is an application we can trust.
In recent months, the offical joomla.org site has undergone some major changes. Unfortunately, two extremely valuable resources have disappeared, and there aren’t many signs that they’re coming back in some way.
The new community.joomla.org was opened a little while ago, as a resource where all contributors of the Joomla project (documentors, moderators, developers, …) have a blog to share information. That’s a great initiative, but unfortunately the old news.joomla.org had to make way (it’s available, but there are no links to it and it hasn’t been updated for two months). This site was a place where anybody could post Joomla! related news. I always felt this was a great way of keeping an eye on what’s going on in the community. Joomla! is not only about the people who contribute directly to the project itself, but also about everybody else, be it (commercial or other) extension developers, template developers, professional integrators, book or tutorial authors, users, … Certainly a place can be provided at community.joomla.org where everybody can post, making it a true community resource.
More importantly, the old dev.joomla.org was replaced by docs.joomla.org and developer.joomla.org. Unfortunately a lot of valuable information is gone:
I removed the poll. The result was 90 votes in favor of bringing the sites back versus 9 votes against.
In the meantime, JoomlaConnect was released as a replacement for news.joomla.org. A lot of confusion could have been avoided by communicating about this in the open early on. The issues with the developer documentation is still unresolved as far as I’m aware.
