I'm very excited to announce that mojoPortal is now available in the Windows Web App Gallery, and can be installed easily using the Microsoft Web Platform Installer 2.0 Beta.

If you've already installed the Platform Installer you can start the download and installation with 1 click.

Huge thanks to Microsoft and the IIS team for helping us get listed in the web app gallery! I think this is going to help a lot in spreading the word about mojoPortal. Now we need some reviews so if you like mojoPortal why not visit our page in the gallery and give us a good rating and review.
http://www.microsoft.com/web/gallery/mojoPortal.aspx

The mojoPortal package in the gallery is for MS SQL, but our packages for other databases can also be installed using the MS Web Deployment Tool, which is installed using the Platform Installer.

 Congrats to the Mono team on their release of Mono 2.4 and MonoDevelop 2.0!

Time to play with the latest bits and see how it works with mojoPortal!

mojoPortal 2.2.9.6 is available now on our download page.

The primary reason for this release is to fix a security issue reported yesterday in our forums. This is only the second security vulnerability ever confirmed in mojoPortal in the entire history of the project since 2004. When a security vulnerability is confirmed we feel it is very important to release a fix within 24 hours and to disclose it with full transparency.

Description

The issue is a cross site scripting vulnerability. The cause of the problem was failure to sanitize a query string parameter that is used for previewing skins. We use a printer friendly skin to produce our printer friendly view using a simple parameter in the url like this skin=printerfriendly. It can also be used to preview any existing skin. Since the skin name is output into the page as part of the url for the css handler it needs to be sanitized to prevent manipulation. The new release sanitizes the input to remove any possibility for javascript being inserted into the page.

The vulnerability was reported by Aaron King who discovered it using the free version of Acunetix Web Vulnerability Scanner. The scanner identified an url that could be constructed that would inject javascript into the page and cause an alert message to be displayed in the page. While the demo exploit causes no harm, in theory other exploits are possible including the possibility of altering the content of the page or stealing a session cookie which could make it possible to take control of a user account. Note that actual malicious exploits have not been proven, but the ability to inject a javascript alert means more malicious exploits may be possible.

Mitigating Factors

In order to exploit this vulnerability the attacker would have to somehow trick a user who is already logged into the mojoPortal site to click a malicious link. The link itself must contain the exploit code and this would be obvious to more experienced users unless the url of the link was masked in some way. So a targeted social engineering attack would have to be used to exploit this. A hacker could email a site user with a link to the site or create a link on a web page on some other web site and convince the user to click it.

What Versions are Vulnerable?

I’m pretty sure this vulnerability was introduced in version 2.2.7.7 when we implemented the CssHandler to combine and minify css. Older versions are probably not vulnerable. To determine if your installation is vulnerable, just visit http://yourdomain/Default.aspx?skin=1%00'"><ScRiPt%20%0a%0d>alert(403326057258)%3B</ScRiPt> If it causes an alert message then the vulnerability does exist.

Upgrade is Highly Recommended

Ugrading to mojoPortal 2.2.9.6 will eliminate this vulnerability. All users are recommended to upgrade as soon as you can. If you are upgrading from version 2.2.9.5, you can skip uploading the ClientScript folder, it will save you some time since its a large folder and nothing in that folder has changed.

Anything Else New This Release?

There was a bug fix in WebStore for MS SQL. Previously when updating the quantity of an item in the cart, the stored procedure was declared incorrectly as having 10 parameters instead of 8 which it actually had.

There is a new Site Setting for Company Name, which is used to automatically populate the CopyrightLabel in the skin.

Our release packages now support easy installation in IIS using the Microsoft Web Deployment Tool aka MsDeploy. See this article for easy step by step installation instructions. Its only for new installations not upgrades. This is actually a pretty exciting development, though I post it here as if it were a footnote. Supporting MsDeploy now should make it possible to get mojoPortal listed in the Microsoft Web Application Gallery, I have submitted a form and am waiting to hear back from them.

I'm happy to announce the release of mojoPortal 2.2.9.5, available now on the download page.

This release is primarily a bug fix release but it does have some new things.

Whats New?

A new option in Page Settings, "Show Home Crumb", adds a home link to the breadcrumbs when "Show Beadcrumbs" is enabled. Thanks to Damien White for help with this.

Added a setting to the blog to control whether google maps are displayed in Excerpt view. Previously they were displayed, but now they are not by default, but can be displayed if the setting is enabled.

Added a feature on the Member List page to allow Admins to lookup users by ip address

Implemented a Discount feature in WebStore that allows defining discount codes supporting percentage and dollar amount discounts with various rules. The user can apply the discount by entering the discount code on the cart page. The apply discount feature is only visible on the cart page if there are currently active discounts.

Forum Improvements: added an email icon to make it more obvious that you can subscribe to forum post notification emails. Added the forum description to the forum post page so that its easier for users to remember which forum they are in and what the forum description says. For example on this site it helps users remember to post certain details like OS, db platform, and version of mojoPortal when reporting bugs.

Bug Fixes

• Fixed bug in url re-writer where paths could be re-written incorrectly in folder based child sites if the folder name was a substring of a page name. 
• Fixed broken background image in css for one of the skins.
• Fixed broken image urls on MyPage when used in folder based sub sites.
• Fixed bug where an error would occur when removing users form roles under SQLite.
• Fixed broken folder image url in forum UserThreads.aspx.
• Fixed an issue with the css handler incorrectly resolving site id for folder based sites.
• Remove unused files as these cause errors when people try to use the release packages in Visual Studio. I still think people should use the source code for development not the release files but people keep trying to use release files so I'm trying to make that possible.
• Fixed a bug in the MS SQL install/upgrade scripts where one procedure was not compatible with SQL 2000.

Upgrade Notes

If you are upgrading from 2.2.9.2, you can skip uploading the /ClientScript folder as nothing has changed there.

I'm happy to announce the release of mojoPortal 2.2.9.2 available now on our download page.

Whats New?

Easy Woopra Integration

I mentioned Woopra in this previous post, its an awesome web analytics and real time traffic monitoring tool. Now its easy to use Woopra with your mojoPortal site. Just sign up for woopra and install their software on your home or office computer. Once they approve your site, you enable the script in mojoPortal from the Site Settings page as shown in this screen shot:

If you are using a custom skin, then you also need to add the woopra control to the layout.master file in your skin, just before the closing </form> tag like this:

<portal:Woopra ID="woopra11" runat="server" />
</form>

All the included skins in mojoPortal already have this. There was a long waiting period when I first signed up for woopra but lately people have been telling me they are getting approved within a few days of signing up for woopra. Its agreat service, I highly recommend it.

WebStore Improvements

We've added the ability to set the quantity when adding items to the cart from the product detail page and we've made it possible to update quantities directly on the cart. So previously if you wanted to buy me more than one beer, you had to add the beers to the cart one at a time, but now its very easy to be generous :-).

Last release we moved reporting out of WebStore and created a common set of reporting tables in the core so that the same reporting system can be used across ecommerce features. Since then we've begun fleshing out more reports, there are a number of new reports this release and even more to come later.

Miscellaneous

Japanese resource files thanks to Suzuki Teku, this brings us p to 18 languages!

A new setting in Page Settings for "Inlcude In Site Map", this was requested recently by a community member, we already had a setting for "Include In Menu" but that setting also excluded the page from the site map, so this new setting allows creating pages that don't appear in the menu but do appear in the site map.

Canonical Urls in the meta data, this is a new thing agreed upon by the big search engines so that if a page is available from more than one url the preferred url can be specified by a meta link with rel=canonical. This helps make sure the urls that is shown in search results is the correct one. In mojoPortal we haven't really had problems with this for content system pages because they generally only have one url, but in the past I would see some dupplicate warnings in google webmaster tools about my forum pages because the same page could be seen with query string paramters in different sequence and google would think they were duplicated pages when it was really the same page with just a variation in the sequence of parameters in the url. So the forums now specify the preferred url with the preferred sequence of parameters. We also add cononical urls to the main content pages but its really probably not much impact there since there hasn't been problems with duplicated pages with different urls.

One customer recently asked about being able to use separate read/write connection strings with MySql so they could use MySql replicatin as a scaling strategy. I don't know much about using this approach, it seems it could be problematic unless the replication is instantaneous. Nevertheless, I did the grunt work of going through all the MySql data classes and making it possible to use different connection strings for read and write operations. Bascially I made all the read methods get the read connection string and all the write methos use the write connection string. If you don't specify a write connection string in Web.config/user.config then it just uses the read connection string, so the logic is like this:

private static String GetReadConnectionString()
{
return ConfigurationManager.AppSettings["MySqlConnectionString"];

}

private static String GetWriteConnectionString()
{
if (ConfigurationManager.AppSettings["MySqlWriteConnectionString"] != null)
{
return ConfigurationManager.AppSettings["MySqlWriteConnectionString"];
}

return ConfigurationManager.AppSettings["MySqlConnectionString"];
}

So, if you want to use a different connection string for write operations just add a connection strng setting with the key MySqlWriteConnectionString. I'd be interested to hear back from anyone who does use this approach with MySql. I don't know if the same scaling strategy is commonly used for MS SQL, Postgre SQL or Firebird, but I could make the same changes for those data layers if people tell me it would be helpful.

Event Calendar Pro 0.0.1.3 Released

Coinciding with this new release of mojoPortal is a new release of Event Calendar Pro. It now uses the new commerce reporting system so ticket sales are reflected in commerce reports and user purchase history is consolidated in the My Account/User Profile page. Note also that previously there was a module setting for currency but this now uses the currency setting from Site Settings. Also fixed a bug on the event detail page where the correct currency was not always displayed. Existing customers can download the new version from their Order History under My Account. Because Event Calendar Pro depends on the new reporting system you must upgrade to mojoPortal 2.2.9.2 before upgrading to the new version of Event Calendar Pro.

Form Wizard Pro 0.0.0.4 Released

This is just a minor bug fix release of Form Wizard Pro. There was a bug in the data export where the submission date for the forms was not correct, all the rows were suing the submit date of the first row. This is now fixed. Existing customers can download the new version from their Order History under My Account.

Upgrade Notes for mojoPortal

If you are upgrading from mojoPortal 2.2.8.6, then you can skip uploading the /ClientScript folder as nothing in that folder has changed. Its a large folder so leaving it out can save a lot of upload time.