Nekkid Ninjas

That's right people! Just when you thought we were gonna delay it (again)

Try it out now!

Need to be convinced? Here's what's new in Beta 5:

• Views like Forums in the admin now have maintenance mode that runs once per week. They will automatically fix table relations and such when needed.
• Full downgrade support. Ninjaboard 0.5 tables are backed up during install, and will be recovered during uninstall to allow downgrades.
• Users can now be assigned to more than one usergroup at once.
• Possible to adjust spacing between forum boxes
• Custom designed premium topic icons, exclusively for Ninjaboard.
• Person page frontend. Shows the avatar, user rank and the persons latest topics.
• Auto-translator, updates your NB language file with untranslated strings for your convenience. Turn on Language debugging under Global Config to activate it.
• Tools screen upgraded
• Norwegian translation on frontend.
• Ninjaboard Stats Admin Module upgraded with another graph. Go to the module manager > administrator and publish it to ninjaboard-dashboard-tabs.
• Chameleons compatibility with Gantry Framework and Warp5 are improved.
• Views like the forums and topics views are now taking advantage of HMVC.
• The forms styling when creating a topic, posting a reply or editing a post are now even sexier and more user friendly.
• Usergroups are now easier to setup, as you get a live, human readable paragraph to the right explaining your permissions configurations.
• Improved the Sample Content available on the Tools screen.
• Added option to not make the forums title in forums view linkable. Instead of just showing a permalink, or making it linkable (which don't work well in all templates)
• Much more localizable, javascript that were previously hardcoded, now uses JText for translatability.
• Forums styling is enhanced to take advantage of more CSS3 features, and subtle highlights between rows that change correctly based on mouse hover.
• Ninjaboard 1.0 can now install on a 0.5 site, and it'll present you an option to import the 0.5 data into your 1.0 database after upgrade.
• Styling of moderation tools frontend upgraded to use Chameleon.
• Advanced CSS3 (like gradients) no longer favor WebKit based browsers. Gecko and Presto support added.
• Usability of usergroup Mapper is improved. Easier to click and drag, and mouseover highlight the end point.
• phpBB3 converter vastly improved.
• Converter speeds are dramatically faster. Things that used to take 3 hours, now take literally 3 minutes.
• Major speed improvements, queries no longer recurse!
• bbCode parser upgraded to support more tags, like table tags.

If you really enjoy using Ninjaboard, let others know here.

if you experience something that suck, there's a place for that to, just because we love you

We'll start posting some tutorials while working on RC in the coming days, like how to use the auto-translation feature to localize Ninjaboard super fast!

Cheers!

There's some buzz on twitter that Ninjaboard got an SQL injection vulnerability.

Here's the first tweet that started the buzz:

New Exploit [dos] - Joomla Ninjaboard Component (com_ninjademo) SQL Injection Vulnerability: http://bit.ly/aa5CnQ

Now, first off. The component being referenced is actually com_ninjademo.
NinjaDemo has nothing to do with Ninjaboard.

NinjaDemo is not even released, and it likely never will be either. It's an in-house extension we're using to quickly setup demo links, as seen on the Ninjaboard Demo site

The security vulnerability disclosed is that if you pass something other than an ID into the link, like this: http://ninjaforge.com/ninjaboard-demo/index.php?option=com_ninjademo&view=demo&id=[sql] then an error happens because the generated SQL query gets a syntax error.

However that's terribly wrong, follow that link and you'll get this error:

Warning:  Invalid argument supplied for foreach() in tmpl://components/com_ninjademo/views/demo/tmpl/default.php on line 11

Since NinjaDemos source is unavailable, I'll show you the code in that file here so you know what's happening:

<? foreach ($demo->links['href'] as $i => $link) : ?>

We store each demo link in a JSON encoded object. Like this:

{
	"link": ["#", "#"],
	"title": ["Foo", "Bar"],
	"image": ["foo.png", "bar.png"]
}

The reason that warning happens, is simply because if you don't supply the right id, no JSON data is fetched, so this part of our layout will fail.

There is absolutely no SQL injection happening. We take great pride in security, and NinjaDemo is also using Nooku Framework. So the id variable is sanitized multiple times before the sql query is generated.

1. URL variable is fetched using KRequest::get('get.id', 'int'), so it's sanitized as an integer.
2. The id is put as a model state, and the model state is configured as $this->_state->insert('id', 'int') in the model. Meaning it's sanitized as an integer for the second time.
3. Before the database query is generated, Nooku Framework will filter each column according to table metadata. The id is a bigint type, so it's sanitized as an integer for the 3rd time during the generation of the SQL query.

So it's pretty obvious that there is absolutely no SQL injection going on here.

"Then what is going on?"

Like I said earlier, the fault is that if the supplied ID don't exist, no JSON data is sent to the view. So when we do the foreach loop, $demo->links['href'] don't exist, as $demo->links wont hold any data, so we get a PHP warning.

What should be done in our case, is to check that the JSON data exists before trying to loop it.

That's all there is to it. I would appreciate it if the people who reported this "vulnerability" in the future contact us before making it public, so we get a chance to prevent a faulty report like this to be made public.

After all, it's common decency to alert the author before making reports public.

Especially if they think it's an piece of software that's used on many sites (they did think the extension was Ninjaboard), as it's important to be able to fix vulnerabilities so users can update their sites before they could be attacked.

We’re working hard on the Beta5 release of Ninjaboard.

Since we’re following the release schedule of Nooku Framework, we’re a little delayed. We were intending to release Beta5 last week, but the changes in the latest branch of Nooku FW 0.7, require all our views and helpers to be re-factored.

Beta5 will be released next week. And the first Release Candidate (RC) will be out the same week Nooku FW 0.7 Beta is released.

We’ll tell you all about Beta5 next week

About a week ago one of our members came to us and reported that he was suddenly getting spammed on an account that he had only ever used for our site.

We started doing some looking but as it was "only one" we figured that it was most likely something on their end.

Then the second one came in. And another.

All these customers were rather unhappy. Which is completely understandable. I would be angry too if a site was giving away my email address or not looking after their security enough that it was compromised.

More than two reports means that something is more than likely wrong at our end, so we started scouring our server for possible issues, fearing that had been hacked.

We spent a few days pouring over server logs, doing file comparisons between the copy of our site on the server and vanilla installations of Joomla and installed components looking for traces of a hacker.

We read seemingly endless security reports looking for any related to our installed versions of extensions.

After several sleepless nights and a lot of hair-pulling, we still couldn't find out how they got in and got increasingly stressed. If we had been hacked, that is one thing, but if we can't find them or stop them then we are more than just hacked, we are sunk.

Just as our panic was reaching a fever pitch we found the leak. iContact, who hosts our Ninja Mail mailing list, was hacked a couple of weeks ago, and their mailing lists were compromised.

Firstly, thanks for letting us know iContact that you handed our private member's data out!

As a result we have canceled our account at iContact and we sincerely apologize from the bottom of our hearts to our members for any inconvenience this has caused.

Luckily though, no user passwords or accounts were compromised, simply email addresses.

If it makes you feel any better, all the NF staff are also getting more spam too as a result....

If you have a list at iContact, then I suggest that you notify your subscribers that their details have likely been passed onto spammers. (and try out Mail Chimp instead)

Today I'm both proud and excited to be able to announce the first alpha release of Ninjaboard 1.0. It's has been a long while coming and it's finaly here. If you don't want to read-on and just want to go play, go grab the package here [link]

The first Alpha release is not feature complete yet but already includes all the major features you expect for a forum solution for Joomla. Here is a list of all the goodies you are getting in this Alpha :

• Categories have been dropped in favor of unlimited depth forum hierarchies.
• Added a new and very powerful template engine which is capable of blending with any Joomla template with just a couple of clicks.
• Added core breadcrumbs support
  
• Backend fully Mootools 1.2, for frontend we use Jquery to be able to offer superb compatibility any template
• Coded from scratch using the Nooku Framework

Now, since some of these bullets are worthy of their own post, I'll focus on the feature we are most proud and excited about : The new template engine, codename 'Cameleon'.

Ninjaboard 1.0 comes with a revolutionary template engine which supports a new technique we call 'auto-skinning' - just like a Chameleon can change it's skin pattern
and colors to fit the scenery surrounding it to camouflage itself - Ninjaboard is capable of blending with any template you install in your site. It will simply take on the style of the template.

This is perhaps the most unique feature Ninjaboard 1.0 has. It allows you to literally setup your forum in hours, not days or weeks. No need anymore to edit PHP files and risk breaking your site, or hire a developer to make you a custom template. It will just work and look beautifully integrated in your site !

This also means that Ninjaboard is extremely lightweight and very fast as it's reusing as much of your sites imagery and css as much as possible. The actual css and images in Ninjaboard are just a fraction of what's common in forum extensions in general. Yes, performance also matters.

When you look at the screenshots below you might wonder how that's even possible, as it looks like Ninjaboard is very heavy on the graphics.

Clicking a screenshot will take you to a page were you'll see links to the template vendors demo site of it and such.

Also, we're currently setting up a live demo site were you get to try what you see pictured below, yourself. And since I'm on the Morph team, Creativa is guaranteed to support it.