mojoPortal 2.2.9.6 is available now on our download page.

The primary reason for this release is to fix a security issue reported yesterday in our forums. This is only the second security vulnerability ever confirmed in mojoPortal in the entire history of the project since 2004. When a security vulnerability is confirmed we feel it is very important to release a fix within 24 hours and to disclose it with full transparency.

Description

The issue is a cross site scripting vulnerability. The cause of the problem was failure to sanitize a query string parameter that is used for previewing skins. We use a printer friendly skin to produce our printer friendly view using a simple parameter in the url like this skin=printerfriendly. It can also be used to preview any existing skin. Since the skin name is output into the page as part of the url for the css handler it needs to be sanitized to prevent manipulation. The new release sanitizes the input to remove any possibility for javascript being inserted into the page.

The vulnerability was reported by Aaron King who discovered it using the free version of Acunetix Web Vulnerability Scanner. The scanner identified an url that could be constructed that would inject javascript into the page and cause an alert message to be displayed in the page. While the demo exploit causes no harm, in theory other exploits are possible including the possibility of altering the content of the page or stealing a session cookie which could make it possible to take control of a user account. Note that actual malicious exploits have not been proven, but the ability to inject a javascript alert means more malicious exploits may be possible.

Mitigating Factors

In order to exploit this vulnerability the attacker would have to somehow trick a user who is already logged into the mojoPortal site to click a malicious link. The link itself must contain the exploit code and this would be obvious to more experienced users unless the url of the link was masked in some way. So a targeted social engineering attack would have to be used to exploit this. A hacker could email a site user with a link to the site or create a link on a web page on some other web site and convince the user to click it.

What Versions are Vulnerable?

I’m pretty sure this vulnerability was introduced in version 2.2.7.7 when we implemented the CssHandler to combine and minify css. Older versions are probably not vulnerable. To determine if your installation is vulnerable, just visit http://yourdomain/Default.aspx?skin=1%00'"><ScRiPt%20%0a%0d>alert(403326057258)%3B</ScRiPt> If it causes an alert message then the vulnerability does exist.

Upgrade is Highly Recommended

Ugrading to mojoPortal 2.2.9.6 will eliminate this vulnerability. All users are recommended to upgrade as soon as you can. If you are upgrading from version 2.2.9.5, you can skip uploading the ClientScript folder, it will save you some time since its a large folder and nothing in that folder has changed.

Anything Else New This Release?

There was a bug fix in WebStore for MS SQL. Previously when updating the quantity of an item in the cart, the stored procedure was declared incorrectly as having 10 parameters instead of 8 which it actually had.

There is a new Site Setting for Company Name, which is used to automatically populate the CopyrightLabel in the skin.

Our release packages now support easy installation in IIS using the Microsoft Web Deployment Tool aka MsDeploy. See this article for easy step by step installation instructions. Its only for new installations not upgrades. This is actually a pretty exciting development, though I post it here as if it were a footnote. Supporting MsDeploy now should make it possible to get mojoPortal listed in the Microsoft Web Application Gallery, I have submitted a form and am waiting to hear back from them.

I'm happy to announce the release of mojoPortal 2.2.9.5, available now on the download page.

This release is primarily a bug fix release but it does have some new things.

Whats New?

A new option in Page Settings, "Show Home Crumb", adds a home link to the breadcrumbs when "Show Beadcrumbs" is enabled. Thanks to Damien White for help with this.

Added a setting to the blog to control whether google maps are displayed in Excerpt view. Previously they were displayed, but now they are not by default, but can be displayed if the setting is enabled.

Added a feature on the Member List page to allow Admins to lookup users by ip address

Implemented a Discount feature in WebStore that allows defining discount codes supporting percentage and dollar amount discounts with various rules. The user can apply the discount by entering the discount code on the cart page. The apply discount feature is only visible on the cart page if there are currently active discounts.

Forum Improvements: added an email icon to make it more obvious that you can subscribe to forum post notification emails. Added the forum description to the forum post page so that its easier for users to remember which forum they are in and what the forum description says. For example on this site it helps users remember to post certain details like OS, db platform, and version of mojoPortal when reporting bugs.

Bug Fixes

• Fixed bug in url re-writer where paths could be re-written incorrectly in folder based child sites if the folder name was a substring of a page name. 
• Fixed broken background image in css for one of the skins.
• Fixed broken image urls on MyPage when used in folder based sub sites.
• Fixed bug where an error would occur when removing users form roles under SQLite.
• Fixed broken folder image url in forum UserThreads.aspx.
• Fixed an issue with the css handler incorrectly resolving site id for folder based sites.
• Remove unused files as these cause errors when people try to use the release packages in Visual Studio. I still think people should use the source code for development not the release files but people keep trying to use release files so I'm trying to make that possible.
• Fixed a bug in the MS SQL install/upgrade scripts where one procedure was not compatible with SQL 2000.

Upgrade Notes

If you are upgrading from 2.2.9.2, you can skip uploading the /ClientScript folder as nothing has changed there.

I'm happy to announce the release of mojoPortal 2.2.9.2 available now on our download page.

Whats New?

Easy Woopra Integration

I mentioned Woopra in this previous post, its an awesome web analytics and real time traffic monitoring tool. Now its easy to use Woopra with your mojoPortal site. Just sign up for woopra and install their software on your home or office computer. Once they approve your site, you enable the script in mojoPortal from the Site Settings page as shown in this screen shot:

If you are using a custom skin, then you also need to add the woopra control to the layout.master file in your skin, just before the closing </form> tag like this:

<portal:Woopra ID="woopra11" runat="server" />
</form>

All the included skins in mojoPortal already have this. There was a long waiting period when I first signed up for woopra but lately people have been telling me they are getting approved within a few days of signing up for woopra. Its agreat service, I highly recommend it.

WebStore Improvements

We've added the ability to set the quantity when adding items to the cart from the product detail page and we've made it possible to update quantities directly on the cart. So previously if you wanted to buy me more than one beer, you had to add the beers to the cart one at a time, but now its very easy to be generous :-).

Last release we moved reporting out of WebStore and created a common set of reporting tables in the core so that the same reporting system can be used across ecommerce features. Since then we've begun fleshing out more reports, there are a number of new reports this release and even more to come later.

Miscellaneous

Japanese resource files thanks to Suzuki Teku, this brings us p to 18 languages!

A new setting in Page Settings for "Inlcude In Site Map", this was requested recently by a community member, we already had a setting for "Include In Menu" but that setting also excluded the page from the site map, so this new setting allows creating pages that don't appear in the menu but do appear in the site map.

Canonical Urls in the meta data, this is a new thing agreed upon by the big search engines so that if a page is available from more than one url the preferred url can be specified by a meta link with rel=canonical. This helps make sure the urls that is shown in search results is the correct one. In mojoPortal we haven't really had problems with this for content system pages because they generally only have one url, but in the past I would see some dupplicate warnings in google webmaster tools about my forum pages because the same page could be seen with query string paramters in different sequence and google would think they were duplicated pages when it was really the same page with just a variation in the sequence of parameters in the url. So the forums now specify the preferred url with the preferred sequence of parameters. We also add cononical urls to the main content pages but its really probably not much impact there since there hasn't been problems with duplicated pages with different urls.

One customer recently asked about being able to use separate read/write connection strings with MySql so they could use MySql replicatin as a scaling strategy. I don't know much about using this approach, it seems it could be problematic unless the replication is instantaneous. Nevertheless, I did the grunt work of going through all the MySql data classes and making it possible to use different connection strings for read and write operations. Bascially I made all the read methods get the read connection string and all the write methos use the write connection string. If you don't specify a write connection string in Web.config/user.config then it just uses the read connection string, so the logic is like this:

private static String GetReadConnectionString()
{
return ConfigurationManager.AppSettings["MySqlConnectionString"];

}

private static String GetWriteConnectionString()
{
if (ConfigurationManager.AppSettings["MySqlWriteConnectionString"] != null)
{
return ConfigurationManager.AppSettings["MySqlWriteConnectionString"];
}

return ConfigurationManager.AppSettings["MySqlConnectionString"];
}

So, if you want to use a different connection string for write operations just add a connection strng setting with the key MySqlWriteConnectionString. I'd be interested to hear back from anyone who does use this approach with MySql. I don't know if the same scaling strategy is commonly used for MS SQL, Postgre SQL or Firebird, but I could make the same changes for those data layers if people tell me it would be helpful.

Event Calendar Pro 0.0.1.3 Released

Coinciding with this new release of mojoPortal is a new release of Event Calendar Pro. It now uses the new commerce reporting system so ticket sales are reflected in commerce reports and user purchase history is consolidated in the My Account/User Profile page. Note also that previously there was a module setting for currency but this now uses the currency setting from Site Settings. Also fixed a bug on the event detail page where the correct currency was not always displayed. Existing customers can download the new version from their Order History under My Account. Because Event Calendar Pro depends on the new reporting system you must upgrade to mojoPortal 2.2.9.2 before upgrading to the new version of Event Calendar Pro.

Form Wizard Pro 0.0.0.4 Released

This is just a minor bug fix release of Form Wizard Pro. There was a bug in the data export where the submission date for the forms was not correct, all the rows were suing the submit date of the first row. This is now fixed. Existing customers can download the new version from their Order History under My Account.

Upgrade Notes for mojoPortal

If you are upgrading from mojoPortal 2.2.8.6, then you can skip uploading the /ClientScript folder as nothing in that folder has changed. Its a large folder so leaving it out can save a lot of upload time.

Whats New

French translation of resource files by Thomas Nicolaïdès and Bernard Cortesi. This brings us up to 17 languages that mojoPortal has been translated into!

Updated Danish Translation by Kurt Greve

Upgraded FCKeditor from 2.6.4 beta to 2.6.4 final release.

Upgraded NeatUpload to version 1.3.8

Upgraded to the newest version of NeatHtml, NeatHtml is a tool for protecting against cross site scripting. This release fixed a bug where sometime un-trusted content would be visually clipped in WebKit based browsers like Chrome and Safari. We use it in the forums and in the blog comments.

Moved commerce reporting out of WebStore and into the core. This is a preliminary step so that we can aggregate commerce reporting across features at the site level. This will also eliminate the need for a lot of duplication of effort that would occur if we implemented reports in each commerce enabled feature.  My next 2 add on products will be e-commerce features, Fund Raiser Pro and Web Invoice Pro, so I'm thinking ahead and implementing commerce reporting as a core feature so I only need to implement reporting in one place and each feature will push its own data into the common reporting system. Event Calendar Pro for example is already a commerce enabled feature since it can sell tickets and soon it will have the ability to push its data into the reporting system. I still have a lot more reports to develop, but the point is I only want to develop one set of them.

Implemented a separate skin setting for MyPage. This was requested recently in the forums and it was a good idea since the layout needs of MyPage are not the same as for the main content system.

Implemented a Web.config setting to disable the search index. While mojoPortal works well in Medium Trust, there can be some problems with the search index if you host multiple sites on a single installation under Medium Trust so this provides an option if you can't get it working correctly you can disable it.

Added an anchor to the ModuleTitle control so that if you have a bunch of modules on a page you can easily create links that jump right to a module with #Modulex, where x is the module id. This was also a recent community request.

Fixed a recently introduced bug in the Shared Files module where the upload controls were displayed to users who did not have upload permission.

Added better error handling to the SiteMap to prevent errors if invalid urls are entered manually. Urls are generally auto-suggested but users can override the suggestion and put in something invalid. With great power comes great responsibility, but at least with the better error handling we can keep it from causing major problems with the menu when a user puts in something invalid. We also added a regular expression validator that checks for common mistakes and typos but it doesn't prevent all possible bad urls.

Fixed a bug in the url re-writer that caused a problem in folder based sub sites. In folder based sub sites, you can have an extensionless root url like /folder1/ if you actually create a folder named folder1 and put an empty text file there named Default.aspx, but there was a bug in the url re-writer that prevented this from working. There are components available for IIS to enable extensionless urls but this approach works without any IIS add ons.

A Shout Out To Our Consulting Partners

My own small company Source Tree Solutions, LLC has only limited availability for consulting engagements. I am trying to shift my business to product sales of add on features for mojoPortal so that I can have more freedom to work on the things I think will best advance the project. Consulting will always be a part of my business but I am very selective about projects I will take on myself and prefer to be a consultant to the consultants, so I am fostering a Consulting Partners Program to build a network of reliable consultants I can refer customers to and so that there are other qualified developers I have a relationship with and could pull in as additional resources to meet tight deadlines on larger projects. So far we have 5 companies in the program.

Summit IT Solutions uses mojoPortal extensively in their work, providing custom feature development, skinning and hosting.

Abertech provides custom solutions and feature development based on mojoPortal and also helps maintain the Italian translation files.

Turbo Front Office is a Dutch company that can handle all technical aspects of your mojoPortal site you can focus on the content. They also manage the mojoPortal Dutch Community site.

Samar Software provides services for mojoPortal and also maintains the Persian translation files and manages the mojoPortal Persian Language Community Site.

TALESIS is our newest partner in Paris France, and helps maintain the French translation files for mojoPortal.

Got a google alert this morning bringing my attention to this blog post by Jordi Massaguer Pla. Jordi is doing a lot of work making cool Linux appliances with Suse Studio and his latest one is a mojoPortal appliance. I've played around a little on Suse Studio myself but have been so busy I haven't finished any appliances yet, so I was glad to see the one Jordi has put together.

Its running mojoPortal 2.2.8.2 using SQLite. You can download it from Jordi's post, boot it up in VMWare player or server and login with user=tux and password = linux

Suse Studio is an amazing tool, it allows you to build a custom linux installation with just the features and applications you want to include and then target your build for a VMWare appliance, installation media or live CD. And you do it all from a web browser.

Thanks a lot to Jordi for putting together this appliance!