Nekkid Ninjas

This article gives a brief introduction on layout overrides, and explains the additional assets overrides support found in Ninjaboard.

All Joomla! 1.5 native components and modules supports something called template layout overrides.

Template layout overrides allows you to copy the files that generate the html in an component, into your template.

And the component will then use the files found in your template, instead of its own.

There are times when you just want to load another image, change a little bit of css or customize a piece of javascript.

So you don't want or need to override an entire PHP file just for doing that.

Good news is that Ninjaboard supports overrides by path for all of its assets.

Every image, css file, js script and php layout can be overriden at your hearts content.

That includes frontend and backend.

Template layout override

Ninjaboard

/components/com_ninjaboard/views/people/tmpl/default.php

Your template

/templates/yourtemplate/html/com_ninjaboard/person/default.php

Stylesheet override

Ninjaboard

/media/com_ninjaboard/css/site.form.css

Your template

/templates/yourtemplate/css/com_ninjaboard/site.form.css

Script override

Ninjaboard

/media/com_ninjaboard/js/jquery/site.js

Your template

/templates/yourtemplate/js/com_ninjaboard/jquery/site.js

Image override

Ninjaboard

/media/com_ninjaboard/images/forums/default.png

Your template

/templates/yourtemplate/images/com_ninjaboard/forums/default.png

Thanks for reading! Download Ninjaboard now and give it a try.

That's right people! Just when you thought we were gonna delay it (again)

Try it out now!

Need to be convinced? Here's what's new in Beta 5:

• Views like Forums in the admin now have maintenance mode that runs once per week. They will automatically fix table relations and such when needed.
• Full downgrade support. Ninjaboard 0.5 tables are backed up during install, and will be recovered during uninstall to allow downgrades.
• Users can now be assigned to more than one usergroup at once.
• Possible to adjust spacing between forum boxes
• Custom designed premium topic icons, exclusively for Ninjaboard.
• Person page frontend. Shows the avatar, user rank and the persons latest topics.
• Auto-translator, updates your NB language file with untranslated strings for your convenience. Turn on Language debugging under Global Config to activate it.
• Tools screen upgraded
• Norwegian translation on frontend.
• Ninjaboard Stats Admin Module upgraded with another graph. Go to the module manager > administrator and publish it to ninjaboard-dashboard-tabs.
• Chameleons compatibility with Gantry Framework and Warp5 are improved.
• Views like the forums and topics views are now taking advantage of HMVC.
• The forms styling when creating a topic, posting a reply or editing a post are now even sexier and more user friendly.
• Usergroups are now easier to setup, as you get a live, human readable paragraph to the right explaining your permissions configurations.
• Improved the Sample Content available on the Tools screen.
• Added option to not make the forums title in forums view linkable. Instead of just showing a permalink, or making it linkable (which don't work well in all templates)
• Much more localizable, javascript that were previously hardcoded, now uses JText for translatability.
• Forums styling is enhanced to take advantage of more CSS3 features, and subtle highlights between rows that change correctly based on mouse hover.
• Ninjaboard 1.0 can now install on a 0.5 site, and it'll present you an option to import the 0.5 data into your 1.0 database after upgrade.
• Styling of moderation tools frontend upgraded to use Chameleon.
• Advanced CSS3 (like gradients) no longer favor WebKit based browsers. Gecko and Presto support added.
• Usability of usergroup Mapper is improved. Easier to click and drag, and mouseover highlight the end point.
• phpBB3 converter vastly improved.
• Converter speeds are dramatically faster. Things that used to take 3 hours, now take literally 3 minutes.
• Major speed improvements, queries no longer recurse!
• bbCode parser upgraded to support more tags, like table tags.

If you really enjoy using Ninjaboard, let others know here.

if you experience something that suck, there's a place for that to, just because we love you

We'll start posting some tutorials while working on RC in the coming days, like how to use the auto-translation feature to localize Ninjaboard super fast!

Cheers!

There's some buzz on twitter that Ninjaboard got an SQL injection vulnerability.

Here's the first tweet that started the buzz:

New Exploit [dos] - Joomla Ninjaboard Component (com_ninjademo) SQL Injection Vulnerability: http://bit.ly/aa5CnQ

Now, first off. The component being referenced is actually com_ninjademo.
NinjaDemo has nothing to do with Ninjaboard.

NinjaDemo is not even released, and it likely never will be either. It's an in-house extension we're using to quickly setup demo links, as seen on the Ninjaboard Demo site

The security vulnerability disclosed is that if you pass something other than an ID into the link, like this: http://ninjaforge.com/ninjaboard-demo/index.php?option=com_ninjademo&view=demo&id=[sql] then an error happens because the generated SQL query gets a syntax error.

However that's terribly wrong, follow that link and you'll get this error:

Warning:  Invalid argument supplied for foreach() in tmpl://components/com_ninjademo/views/demo/tmpl/default.php on line 11

Since NinjaDemos source is unavailable, I'll show you the code in that file here so you know what's happening:

<? foreach ($demo->links['href'] as $i => $link) : ?>

We store each demo link in a JSON encoded object. Like this:

{
	"link": ["#", "#"],
	"title": ["Foo", "Bar"],
	"image": ["foo.png", "bar.png"]
}

The reason that warning happens, is simply because if you don't supply the right id, no JSON data is fetched, so this part of our layout will fail.

There is absolutely no SQL injection happening. We take great pride in security, and NinjaDemo is also using Nooku Framework. So the id variable is sanitized multiple times before the sql query is generated.

1. URL variable is fetched using KRequest::get('get.id', 'int'), so it's sanitized as an integer.
2. The id is put as a model state, and the model state is configured as $this->_state->insert('id', 'int') in the model. Meaning it's sanitized as an integer for the second time.
3. Before the database query is generated, Nooku Framework will filter each column according to table metadata. The id is a bigint type, so it's sanitized as an integer for the 3rd time during the generation of the SQL query.

So it's pretty obvious that there is absolutely no SQL injection going on here.

"Then what is going on?"

Like I said earlier, the fault is that if the supplied ID don't exist, no JSON data is sent to the view. So when we do the foreach loop, $demo->links['href'] don't exist, as $demo->links wont hold any data, so we get a PHP warning.

What should be done in our case, is to check that the JSON data exists before trying to loop it.

That's all there is to it. I would appreciate it if the people who reported this "vulnerability" in the future contact us before making it public, so we get a chance to prevent a faulty report like this to be made public.

After all, it's common decency to alert the author before making reports public.

Especially if they think it's an piece of software that's used on many sites (they did think the extension was Ninjaboard), as it's important to be able to fix vulnerabilities so users can update their sites before they could be attacked.

We’re working hard on the Beta5 release of Ninjaboard.

Since we’re following the release schedule of Nooku Framework, we’re a little delayed. We were intending to release Beta5 last week, but the changes in the latest branch of Nooku FW 0.7, require all our views and helpers to be re-factored.

Beta5 will be released next week. And the first Release Candidate (RC) will be out the same week Nooku FW 0.7 Beta is released.

We’ll tell you all about Beta5 next week

About a week ago one of our members came to us and reported that he was suddenly getting spammed on an account that he had only ever used for our site.

We started doing some looking but as it was "only one" we figured that it was most likely something on their end.

Then the second one came in. And another.

All these customers were rather unhappy. Which is completely understandable. I would be angry too if a site was giving away my email address or not looking after their security enough that it was compromised.

More than two reports means that something is more than likely wrong at our end, so we started scouring our server for possible issues, fearing that had been hacked.

We spent a few days pouring over server logs, doing file comparisons between the copy of our site on the server and vanilla installations of Joomla and installed components looking for traces of a hacker.

We read seemingly endless security reports looking for any related to our installed versions of extensions.

After several sleepless nights and a lot of hair-pulling, we still couldn't find out how they got in and got increasingly stressed. If we had been hacked, that is one thing, but if we can't find them or stop them then we are more than just hacked, we are sunk.

Just as our panic was reaching a fever pitch we found the leak. iContact, who hosts our Ninja Mail mailing list, was hacked a couple of weeks ago, and their mailing lists were compromised.

Firstly, thanks for letting us know iContact that you handed our private member's data out!

As a result we have canceled our account at iContact and we sincerely apologize from the bottom of our hearts to our members for any inconvenience this has caused.

Luckily though, no user passwords or accounts were compromised, simply email addresses.

If it makes you feel any better, all the NF staff are also getting more spam too as a result....

If you have a list at iContact, then I suggest that you notify your subscribers that their details have likely been passed onto spammers. (and try out Mail Chimp instead)