A lot of talk has gone on recently regarding CSRF and Joomla 1.0.13/1.5. CSRF is a problem for all web based applications and the upcoming Joomla 1.0.14 and Joomla 1.5 stable have both been hardened against such security vulnerabilities. Hardened, not made secure, as it is practically impossible to secure against each and every CSRF there is without interrupting workflow. Joomla, as do most other webapps, has made it as difficult as possible to use CSRF to hack a Joomla site.

The advice issued by ourselves recently is still just as valid now as it will be when Joomla 1.0.14/1.5 are released - Please follow these rules:

- ALWAYS click LOGOUT in Joomla Admin when you finish
- NEVER browse other websites while logged in to Joomla Admin
- If you allow users to upload/modify your site through any third party component then don’t browse/or limit your surfing of your own site while logged in to Joomla Admin
- NEVER click on links to “Upgrade this component” in 3rd Party Components
- NEVER browse forums while logged into Joomla Admin

However, there is always a better, more secure option,

Introducing PRISM

Prism (formerly, Webrunner) is a prototype application that lets users split web applications out of their browser and run them directly on their desktop. What this really means in non-techie speak is that you can launch a scaled down web browser in its own process and use that to administrator your Joomla Site. Prism is a scaled down Firefox web browser that is designed for web applications - so already its more secure as its not Internet Explorer based :-)

We have been highly active in using webrunner/prism since the first release - and we are addicted.

Learn More

• Introduction to Prism
• Prism Prototype Now Available for Mac and Linux

Get Prism

• Download Prism for Windows
• Download Prism for Mac OS X
• Download Prism for Linux

Once you have prism installed, simply double click its icon and you will be prompted to give a URL and NAME (and a few optional options).

For the URL set this as your admin console - like http://www.mysite.com/administrator/

and the NAME set to “Administrator for mySite” - also check the desktop shortcut icon.

Then you will be promptly shown your admin page - you can now login securely and continue administrating your Joomla site in Prism and NOT IN YOUR REGULAR BROWSER - this creates separation between your normal surfing and your Joomla Administrator.

By doing this you 100% protect yourself from the CSRF vulnerability reported in Joomla and other web apps - once you get addicted (as are we) to Prism you will never use your browser for web applications again!!!

Hope you like the tip!

It has been reported to us twice over Christmas that a certain backup and restore component for Joomla is “cloning” Joomla databases without reinstating all the properties of the databases’ primary keys correctly.

You will know when you have this problem as you will not be able to add any NEW content to your Joomla site and you may get error messages about duplicate primary keys.

If you take a look at your jos_content table, check the ID field and see if auto_increment is a property of the field - if not then you have lost all your auto_increments.

I have compiled a short list of SQL commands to reinstate the correct primary keys and properties based on joomla.sql, the default joomla installation SQL. This will NOT fix 3rd party components tables which must be done manually.

The following SQL Commands are applicable to Joomla 1.0.x only. Read the rest of this entry »

For some time now customers have been requesting a certain new feature in the Tags component - The ability to link to pages that contain articles tagged with two or more tags by AND or OR. Well we listened and now we are happy to announce a new release of the Tags component with new features !!!

This new functionality allows you to search for articles that are tagged with the tag names suppled within a URL.

You can search for articles by two methods the and method and the or method.

The or method allows you to search for articles tagged with the tags x or y (x and y being tag names). The URL that is required for this search method to work will look something like this:

www.mywebsite.com/index.php?option=com_tag&tag=x|y

As you can see the two tag names are separated with a bar(|), make sure this bar is included in the URL else the results of the search will not be as expected.

The and search allows you to search for articles tagged with the tags x and y (x and y being tag names). The URL for the and search is the same as the or search but with one change the tag names are separated with a semicolon(;) thus the URL will look something like this.

www.mywebsite.com/index.php?option=com_tag&tag=x;y

Again make sure this semicolon is included in the URL else the results of the search will not be as expected.

Please note that it isn’t possible to mix the two searching methods together e.g. x;y|z as this will result in a negative result

(Thanks to Chris for doing this so quickly and Thanks to Conor for the sponsorship)

As you may be aware we have been investigating why, under certain environments, non-latin based chars do not display correctly on websites when using our xAJAX based components such as Tags or mosKB.

xAJAX uses UTF-8 so we know it was not an issue with xXAJAX. Joomla 1.0.11 is not too UTF-8 friendly and even the Joomla Developers have blogged about the difficulties in acheiving true UTF-8 on a site.

After many weeks testing under different environments we are pleased to offer some more thoughts so that, if you are experiencing issues with the chars not displaying correctly, you can attempt these changes to your site to ensure the best compatibility. These changes have fixed every site we have personally seen that had problems so we hope that one of them will fix your site if you are having issues.

Credits and Thanks to the some great webpages

Read on tosee ways you can help yourself…

Read the rest of this entry »

Dear all Tags and mosKnowledgeBase customers,

We have been aware for some time that under certain circumstances some xAJAX applications encountered encoding issues. xAJAX uses UTF-8.

We have been unable to replicate the encoding issues on our live server or our local desktops - until today.

We have found a setting in php.ini that may help, there are other tweaks that we may be able to make to Joomla to further aid UTF-8. There is also a difference between using Internet explorer and Firefox (They handle things differently)

There are many things that need to be investigated in order to acheive UTF-8 in Joomla 1.0.x (In Joomla 1.5 these things are taken care of). Running a completly UTF-8 site is difficult in Joomla 1.0.x

We are happy to look at any Tags or mosKB sites that are having issues, we will attempt to work things out for free in our time if you send us the details using the form at http://www.phil-taylor.com/send-request

For the more advanced among you, try the following if your site has issues rendering tags/mosKB:

create/append .htaccess with:

php_value default_charset UTF-8

in php.ini change the line:

default_charset = “UTF-8″

in the default index.php Joomla files add after the < ?php tag:

header(’Content-Type: text/html; charset=utf-8′);

.

You may be aware that we have worked with other developers to release a version of xAJAX for Joomla 1.0.x as a mambot. What you may not know is that we have a working version for Joomla 1.5 too!.

Joomla 1.5 brings some major changes to the way we write components with xAJAX, however the xAJAX plugin for Joomla 1.5 is still going to make development of xAJAX components for Joomla a lot easier. We have been able to clean up the way that xAJAX is made available to both the front end and backend component parts and the plugin can be harnessed from any installed component, even the core components can use it!

I think it is about time that the core developers stopped messing with bad implementations of xAJAX and started to take the xAJAX plugin seriously if they are to retain a library based platform on which other developers can build.

For example, currently in Joomla 1.5 we have complete xAJAX distribution files in the following locatons.

• \joomla1.5\installation\includes\xajax\
• \joomla1.5\administrator\components\com_menus\xajax\

What should really be done is that xAJAX is included in the core like any other of the 3rd Party libraries in the \libraries\ folder.

This would allow xAJAX to be called by any component, including the two instances above. If the core were to implement the proof of concept xAJAX for Joomla Plugin I have developed then there would never be any conflict between components - core or 3rd party.

As it stands at the moment, there appears to be no direction for xAJAX integration. However what has been done by including xAJAX in com_menus is that the developers are not following their own guidelines of including libraries in the libraries folder so they can be used globally. They have also hindered ANY use of ANY xAJAX component on the backend as any plugin will conflict with the xAJAX objects in com_menus and will stop the core features in com_menus from working.

I see no reason why the core deveopers should not look at the code I will provide them with.

If they do not entertain my idea then the future of xAJAX Components in Joomla 1.5 is seriously in trouble.

There needs to be direction for xAJAX in Joomla 1.5, either it is integrated correctly and reliabily with 3PD Developement in mind, or it is stripped from the core.

Lastly - Why on earth are there TWO full distributions of xAJAX in the Core Joomla 1.5 code - answers on a postcard please.

YOU CAN DISCUSS THIS IN THE JOOMLA FORUM THREAD:

http://forum.joomla.org/index.php/topic,96590.0.html

Dear folks, thanks for all the feedback that you send us daily.  We do read every email and we value your input.

Recently many people asked us to provide a quick and easy way to view the latest version numbers of all our components on one page. Furthermore others wanted this information in a useable format such as RSS feed or straight XML.

After some thought about the future, and the way forward with Joomla 1.5 we have decided to make public a URL that has existed for many years (without us telling you ) that we use internally.

You can view the XML file with a list of all our components, and their latest version numbers by going to the URL:

http://www.phil-taylor.com/versions.php

We hope you like this and also the new site design

It has come to light after upgrading our own site to Joomla 1.0.10 that the current mambot for Tags component is now adding tags to the bottom of module content. This was never the case in Joomla versions < = 1.0.9 and I do not know why Joomla has suddenly started doing this - maybe the core developers changed something, or fixed something that made something stop working, or start working that was different to before - strange all round.

However we have been quick to find a fix and the attached Tags Mambot for Joomla 1.0.10 file can be downloaded and placed in /mambots/content/tags.php and this will stop the tags showing on module content. I hope to have this as a configurable opton in the next version of Tag/Tags component for Joomla

After spending all day answering emails I have decided to start adding more FAQ into the knowledgebase - the number one asked questions today were about mosLM therefore here is a quick start guide to installing mosLM
Quick Start Guide: How to install mosListMessenger

Today is a SkypeOut Gift Day for UK and US. I happen to be in the UK today myself, so I went ahead and claimed my gift — got it credited to my account pretty much immediately, so everything works fine. And when trying to approach it the second time, this is what it tells you. One gift per day per user. more info at: Gift Tuesday for UK and US - Skype Blogs