It is as if the the media manager buttons has been disabled.

If you were facing these problems it is most probably due to the Flash uploader not working properly with Flash version installed on your system.

Solution:

The simplest solution to fix this issue is to go to,

Global Configuration –> Systems –>Media settings.

And select ‘No’ for ‘Enable Flash Uploader’ setting, and save the settings.

That’s it, this simple. Now go back to you media manager and upload files to your heart’s content.

They were later joined by Shardul, who was already pushing for Joomla day in India at events forum in joomla.org. He was the person who was on our first coffee meet to discuss how to get going so that we get official approval from OSM. He also pushed me to create and register Joomla User Group Pune, for the event.

We met multiple times to talk and plan how things should happen.

In middle of all this, out of nowhere, Mangesh joined us. He was instrumental in actually making joomladay.co.in website usable, as Ashwin and Parth could not give the time and attention to it. He also ended up hosting the website on his server, when we started having trouble with dream host.

With organizers team ready, we needed few volunteers,  this is where Tara came into picture, he helped us with venue and insisted that we give I2IT a try. Krity worked on the content of the website and faq’s. Kinjal helped us with photographs, Rucha and Shruti helped us managing the registrations on the day of event.

Finally I want to thank Toby Patterson for coming all the way from Thailand to help us with Joomla Day.

Guys to stay updated about Joomla User Group Pune activity follow us on Twitter or Subscribe to our google group mailing list as Joomla Day is just an start.

(This is promotional article taken from

Joomla!, a very popular content management system (CMS) is as you may know an easy-to-deploy-and-use content management system. This ease of use has lent itself to rapid growth of both the CMS and extensions for it. You can install it on almost any host, running Linux or Windows. This highly versatile software has found itself in such lofty places as large corporate web portals, and humble places such as the simple blog.

Joomla! itself is inherently safe, but misconfigurations of the CMS, vulnerable components, hosts that are poorly configured, and weak passwords can all contribute to the downfall of your site. Hence, it’s always better to ensure the security of your site.

In this article by Tom Canavan, we will take a look at how SQL injection attacks can occur to your Joomla website, how we can test for SQL injection attacks, and how to stop SQL injection.

Introduction

Mark Twain once said, “There are only two certainties in life-death and taxes.” Even in web security there are two certainties: It’s not “if you are attacked”, but “when and how” your site will be taken advantage of.

There are several types of attacks that your Joomla! site may be vulnerable to such as CSRF, Buffer Overflows, Blind SQL Injection, Denial of Service, and others that are yet to be found.

The top issues in PHP-based websites are:

• Incorrect or invalid (intentional or unintentional) input
• Access control vulnerabilities
• Session hijacks and attempts on session IDs
• SQL Injection and Blind SQL Injection
• Incorrect or ignored PHP configuration settings
• Divulging too much in error messages and poor error handling
• Cross Site Scripting (XSS)
• Cross Site Request Forgery, that is CSRF (one-click attack)

SQL Injections

SQL databases are the heart of Joomla! CMS. The database holds the content, the users’ IDs, the settings, and more. To gain access to this valuable resource is the ultimate prize of the hacker. Accessing this can gain him/her an administrative access that can gather private information such as usernames and passwords, and can allow any number of bad things to happen. When you make a request of a page on Joomla!, it forms a “query” or a question for the database. The database is unsuspecting that you may be asking a malformed question and will attempt to process whatever the query is. Often, the developers do not construct their code to watch for this type of an attack. In fact, in the month of February 2008, twenty-one new SQL Injection vulnerabilities were discovered in the Joomla! land. The following are some examples presented for your edification. Using any of these for any purpose is solely your responsibility and not mine:

Example 1

index.php?option=com_****&Itemid=name&cmd=section&section=-
000/**/union+select/**/000,111,222,
concat(username,0×3a,password),0,
concat(username,0×3a,password)/**/from/**/jos_users/*

Example 2

index.php?option=com_****&task=****&Itemid=name&catid=97&aid=-
9988/**/union/**/select/**/
concat(username,0×3a,password),0×3a,password,
0×3a,username,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0/**/
from/**/jos_users/*

Both of these will reveal, under the right set of circumstances, the usernames and passwords in your system. There is a measure of protection in Joomla! 1.0.13, with an encryption scheme that will render the passwords useless. However, it does not make sense to allow extensions that are vulnerable to remain. Yielding ANY kind of information like this is unacceptable.

The following screenshot displays the results of the second example running on a test system with the vulnerable extension. The two pieces of information are the username that is listed as Author, and the Hex string (partially blurred) that is the hashed password:

You can see that not all MD5 hashes can be broken easily. Though it won’t be shown here, there is a website available where you enter your hash and it attempts to crack it. It supports several popular hashes.

When I entered this hash (of a password) into the tool, I found the password to be Anthony.

It’s worth noting that this hash and its password are a result of a website getting broken into, prompting the user to search for the “hash” left behind, thus yielding the password.

The important news, however, is that if you are using Joomla! 1.0.13 or greater, the password’s hash is now calculated with a “salt”, making it nearly impossible to break. However, the standard MD5 could still be broken with enough effort in many cases. For more information about salting and MD5 see: http://www.php.net/md5.

For an interesting read on salting, you may wish to read this link:www.governmentsecurity.org/forum/lofiversion/index.php/t19179.htm

SQL Injection is a query put to an SQL database where data input was expected AND the application does not correctly filter the input. It allows hijacking of database information such as usernames and passwords, as we saw in the earlier example.

Most of these attacks are based on two things. First, the developers have coding errors in their code, or they potentially reused the code from another application, thus spreading the error. The other issue is the inadequate validation of input. In essence, it means trusting the users to put in the RIGHT stuff, and not put in queries meant to harm the system. User input is rarely to be trusted for this reason. It should always be checked for proper format, length, and range.

There are many ways to test for vulnerability to an SQL Injection, but one of the most common ones is as follows:

In some cases, this may be enough to trigger a database to divulge details. This very simplistic example would not work in the login box that is shown. However, if it were presented to a vulnerable extension in a manner such as the following it might work:

<FORM action=http://www.vulnerablesite.com/Search.php method=post>
<input type=hidden name=A value=”me’ or 1=1–”>
</FORM>

This “posting” method (presented as a very generic exploit and not meant to work per se in Joomla!) will attempt to break into the database by putting forward queries that would not necessarily be noticed.

But why 1=1- – ? According to PHP.NET, “It is a common technique to force the SQL parser to ignore the rest of the query written by the developer with– which is the comment sign in SQL.”

You might be thinking, “So what if my passwords are hashed? They can get them but they cannot break them!”

This is true, but if they wanted it badly, nothing keeps them from doing something such as this:

INSERT INTO jos_mydb_users
(‘email’,'password’,'login_id’,'full_name’)
VALUES (‘johndoe@email.com’,'default’,'Jdoe’,'John Doe’);–’;

This code has a potential if inserted into a query such as this:

http://www.yourdomain/vulnerable_extension//index.php?option=com_vulext

INSERT INTO jos_mydb_users
(‘email’,'password’,'login_id’,'full_name’)
VALUES (‘johndoe@email.com’,'default’,'Jdoe’,'John Doe’);–’;

Again, this is a completely bogus example and is not likely to work. But if you can get an SQL DB to divulge its information, you can get it to “accept” (insert) information it should not as well.



Secure your Joomla! website from common security threats with this easy-to-use guide

• Learn how to secure your Joomla! websites
• Real-world tools to protect against hacks on your site
• Implement disaster recovery features
• Set up SSL on your site
• Covers Joomla! 1.0 as well as 1.5

For more information, please visit:
http://www.PacktPub.com/joomla-web-security-guide/book

Testing for SQL Injections

The following examples are known good tests to detect some SQL Injection vulnerabilities.

Check for input vulnerabilities using “Single Quotes”, as used in the following login form:

howdy’ OR 1=1- -

This popular method is sometimes used in the form of a URL and you may see it appended to the INDEX.PHP in your log as follows:

/index.php?id=howdy’ OR 1=1 – -

You may also wish to try inputting one of these popular methods:

‘ OR 1=1 – -

” OR 1=1 – -

‘OR ‘x’='x

There are several more methods and this only scratches the surface of SQL Injections. They attempt to pass unchecked INPUT to the database, which will try to divulge an answer, rather than providing no answer.

Note that you may see the use of the keyword UNION in your logs (see earlier examples). This is usually an early indicator that an attempt is being made on your site.

To learn more about SQL Injections from a developer’s point of view, please refer to the following:

http://us3.php.net/manual/en/security.database.sql-injection.php

A Few Methods to Prevent SQL Injections

This is somewhat beyond the scope of this article, but the following are some things to touch upon:

Developers should ALWAYS validate the user input, that is, test for type, length, format, and range, and always consider what malicious input may be thrown at the queries.

DO NOT assume anything about the user input. For example, you shouldn’t assume that an upload box for images won’t be used for some other purpose. You should restrict the uploads to file types that you want to accept.

How will your application behave if a malicious user enters a 100-megabyte JPG where your application expects a username?

What will happen to your site if a DROP TABLE statement is embedded in a text field? What about a database command such as INSERT?

The answer is: Always enforce the size. If the maximum input is 2 Meg, then enforce it. Don’t allow bigger inputs because your users might be unhappy. If the maximum character length should be eight, do not allow inputs beyond it. This will prevent a buffer overfl ow, and other madness.

Test the content of the string variables and accept only the expected values. Reject entries that contain binary data, escape sequences, and comment characters. This is a common technique.

DO NOT ALLOW SQL statements directly from the user input. Provide a solid user interface that validates the users’ input and then uses it.

String concatenation is the primary point of entry for a script injection. So NEVER concatenate user input that is not validated, and has been checked to ensure that it has no nasty payloads.

ALWAYS assign user rights within your SITE (including you) with the LEAST privileges needed. This keeps down the possibility of using the unnecessary privileges to take over the site.

NEVER connect to the database as an admin, superadmin, or the database owner. Always keep these particular users for administrative use only.

And According to PHP.NET

“Check if the given input has the expected data type. PHP has a wide range of input validating functions, from the simplest ones found in Variable Functions and in Character Type Functions (for example, is_numeric(), and ctype_digit() respectively), and onwards to the Perl compatible Regular Expressions support.

If the application waits for numerical input, consider verifying data with is_numeric(), or silently change its type using settype(), or use its numeric representation by sprintf().”

There are commercially available tools such as Accunetix that can test for SQL Injections, and several sites that list recent and past extension vulnerabilities.

In essence, test your system using some of the methods mentioned, provide it an input that is totally off the wall, or find some of the exploits and try them on your test server.

Lastly, keeping your system patched is probably one of the best methods to prevent SQL Injections.

About the Author

A twenty-three year veteran of the Computer Business, and a Data Center Technology Consultant to Fortune-1000 Companies, Tom Canavan is a Certified Ethical Hacker and has a degree in Robotics and Numerical Control. He is author of the book Dodging the Bullets – A Disaster Preparation Guide for Joomla! Based Websites.

And leave some comments their.

It is a simple Joomla 1.5 module to display Tweets on a topic or event.

What it does?

akTweeter uses Twitter search to show latest 5 tweets, on any topic that you want to show tweets about. It is useful if you want to display tweets on some event or your product.

Requirements

This module is compatible with Joomla 1.5 only and released under GPLv2 License agreement.

How to use it?

1. First of all download akTweeter module and install it.
2. Go to module manager and activate the akTweeter Module.
3. Finally, edit the module and set the keyword you want to monitor.
   
   

That’s it, you are done.

If you liked it, hated it or have any suggestions just leave a comment below.

COPYRIGHT NOTICE

I have made the Flow Diagram available here for public use and/or modifications, as long as you cite me as an author. Although I have decided to share this, it took awhile to create this version, so I would appreciate getting some credit for my work.

Please refer to the Creative Commons Attribution-Noncommercial-share Alike license:

http://creativecommons.org/licenses/by-nc-sa/3.0/us/

You are free to share and make derivatives (i.e. corrections or updates), as long as you include a revision history, attribute the contributors as authors, you do not use it for commercial purposes, and you freely share the document.

You can download the request to response flow diagram as pdf file or as png file.

Here is what happens in case of Joomla 1.5…

When a request comes to Joomla website,

1) It loads framework files,  but first of all it  loads ‘defines.php’ and ‘framework.php’ files.

‘defines.php‘ as name suggest defines the some global constant for Joomla framework files and folders.

‘framework.php‘  first performs the installation check, and then initiates the process of importing all other files needed for Joomla framework to work.

2)Joomla ‘Site’ application is created, which basically means that $mainframe object is created.

Session is initialized by creating a new one if  no session exists.

3) Application is initialized,  it means that first website’s language file is loaded and then system plugin is loaded and  onAfterInitialise system event is triggered to let other plugins know that application is ready for routing.

At this stage, Joomla core is up and running.

4)Routing of Request, i.e. request is now examined to determine which component should receive the request and verifies if the user has the privilege to do the requested action.

Afterwards ‘onAfterRoute‘  system event is triggered by Joomla  to inform other plugins that system is now ready to dispatch the request to the component.

5)Application Dispatching, which basically means that requested component now get the change to handle the request. If the component does not exists then request is send to default component.

$document object is created and output from the component is buffered.

‘onAfterDispatch‘ event is triggered to let plugins know that system is now ready for rendering.

6) Application Rendering, is basically the process of putting the document buffers in the template placeholders.

If administrator has set the website to offline mode, then it shows the offline template otherwise rendered output is buffered in JResponse variable.

‘onAfterRender’ event is triggered to let plugins know that response is ready to send.

7)Response is sent, finally the buffered data in JResponse variable is sent back to the user.

This is the whole process followed by Joomla once it receives a request.

I know this is far from perfect, It would be great if some one who knows better can come up and help me improve this diagram.

PS: Join Joomla User Group India discussions at Google Group, http://groups.google.co.in/group/jugi or Joomladay.co.in

This is not the difficult part, difficult part was that, it might conflict with some other component or module that might also be using the same library.

In Joomla 1.5 you don’t have to worry about this issue any more. It now includes SimplePie library in the framework itself.

To use the library that comes with Joomla all you need to do is

jimport('simplepie.simplepie');

this will include the SimplePie library in you component or module.

Afterwards you can just create a SimplePie object start and using all the functions. In case you don’t know, here is how you can do that

$feed=new SimplePie();

Neat and simple isn’t it?

PS based on this information I have created a simple module to display new 20 tweets for a particular event, which I will be sharing in next few days.

Recently I was required to give a presentation to an agricultural college, they wanted to create a website for their college in Marathi, which resulted in akIndicPlugin for tinyMCE as Joomla uses it as default editor.

Here is how you can enable Joomla to write in Indian languages.

Step 1:Install akIndicPlugin for tinyMCE

Upload files to webserver,

• Download the akIndicPlugin
• Extract the archive using winzip etc. in a folder named akindicplugin
• Now FTP the akindicplugin  folder and all files inside it, to “plugins\editors\tinymce\jscripts\tiny_mce\plugins” in case of Joomla 1.5.x or “mambots\editors\tinymce\jscripts\tiny_mce\plugins” in case of Joomla 1.0.x, using Filezilla.

Modify the ‘tinymce.php‘ file

• Open tinymce.php file in “editors\tinymce” in  Notepad++ or your favorite editor.
• In Joomla 1.0.x find $buttons2     = implode( ‘, ‘, $buttons2 ); or goto line number 250. In case of Joomla 1.5.x  find $buttons2[] = ‘forecolor’; or goto line number 190.
• Add following lines at specified line numbers

$plugins[]            = 'akindicplugin';
  $buttons3[]            = 'akindicplugin';

• Save the file, and upload to webserver.

Once you are done, login to Joomla administrator panel and check tinyMCE, if you see a button on tinyMCE toolbar, Congratulations! you have finished the first step.

Step 2: Make Joomla To Display Indian language

This is very easy, just make sure your template has charset set to UTF8 and you are done.

Wondering how you can check that, simple just do a view source of your web page and check for following line

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

is their in the page.

If it is missing, in that case simply add above line to “index.php” file  in your Joomla template in frontend as well as administrator template.

Now to complete the whole process, just create a new language file in your language and you are done.

In web application development, that is just one thing. You need to know about lot more things before you can consider yourself successful.

So, if you know them already that’s good, you don’t need to read any further otherwise continue reading to know why each of these skills are important for you(the web developer).

Here are the skills

1. the structure : HTML
2. the presentation: CSS
3. the behavior: JavaScript

With these three skill you have ability to become the super cool static website developer or a front end developer

1. the database: SQL
2. the server-side language : PHP( other options are JSP/ASP/PERL/RUBY choice is yours, as all the fight for best happens here)

These two skill will make you a web developer.

All five of these skills will make you a most prized web developer, in your organization.

HTML

You think you know HTML, think again. I have been interviewing lot of people, they have all rated themselves nearing 7-8 out of 10, whenever I asked them to rate their knowledge of html. Every time I tried to verify their claim, they came down to 2-3, reason is simple, HTML is very simple and everyone thinks they can bluff their way through, After all what is HTML, just tables and forms isn’t?

Well you are wrong, HTML is the one of the most important skill that you should have, you should know HTML better then you know your server side language, why?

Simply because your server side language is optional, but HTML is must, even when you dream about a web page. It gives your website a structure and layout. This is what an end user see’s and care about. You don’t know HTML, you can’t fix the strange behaviors that you see in you website.

Without proper layout, you site/application is nothing. With proper use of HTML you can not only create most accessible websites, you can also create a website which will look good in absence of css and will work without javascript.

So go and revise you HTML again, and remember just know is not enough, you have to understand where to use what.

CSS

CSS is used to give the look and feel to your website. You as a web developer need to know and understand how it works, and how you can simplify the html layout’s so that it becomes manageable. Design is what your users/client sees.

On the basis of your sites design, your ability is judged initially.

CSS is easy to learn, but it’s application is another story, all thanks to browser incompatibilities. So to make your website look good in all the browser you need CSS. Just knowing CSS is not enough, you have to understand it’s application also.

JavaScript

JavaScript is not just for validations as many of you think, it is what gives you ability to do some nifty things with your webpage(like lightbox, rating’s , ajax).

It adds behavior to your website, makes it interesting and improves the users experience. If you have still not chosen any framework, do it now. jQuery, prototype, YUI, Dojo are some of the interesting frameworks that make developers life easier.

If have master all the three skills above you can already consider your self above average web developer even if that person has 10 years of experience. Remember we are in IT industry. IT is Information Technology, where Information aka Knowledge is important.

SQL

The most neglected in the bunch, when this is the second most important skill that a web developer should have.

Why? what a question, we are building web applications that almost always relay on database, If you don’t understand the SQL how do you propose to get the data fast enough from your database? Almost all the websites can be distilled down to simple SELECT,INSERT, UPDATE operations. If you can master them, you can dictate your terms.

When I say SQL I don’t just mean queries but also the database schema and intricacies of database itself.

PHP

Before you get up in arms against me for suggesting PHP and not your favorite language, understand this, I am talking about web applications only, and their is no other scripting language which is so easy to learn and program with. At the same time, it provides functions for everything you can think off that is required in a web application development environment.

Please spare me the talk about java and .net they are platforms and/or programming language. If you understand “you should not use sword to do the job of needle and vice versa” then you know what I mean.

Their are many frameworks that you can use. Also their are many ready to use open source packages that you can use and adapt to your needs, you don’t need to start from scratch all the time.

If you have read till here, then I would love to know your views on these skills and others that you think are important for a successful web development career.

Adding image galleries inside your Joomla! pages is now super simple with the “akJoomGallery” Plugin.

You don’t need a specialist knowledge to use this mambot/plugin. akJoomGallery allows you to use images in your content item as image gallery. With it’s help you can convert any content item/page into a cool image gallery.

The idea for this plugin came to my mind when we needed to show a quick image gallery to client, and we need something lightweight, with more control over how the image is shown in the gallery page itself. We could have used other big gallery components but I was not interested in something simple and quick. Check out the implementation of akJoomGallery.

This plugin is best suited to those situations where someone want’s to add few thumbnails while writing the content, and would like to display the large size images when users clicks on them, without leaving the page.

How To Install

1. Just download the akJoomGallery plugin.
   1. akJoomGallery for Joomla 1.0.x
   2. akJoomGallery for Joomla 1.5.x
2. In Administration panel of Joomla goto Installers ->Mambots(for Joomla 1.0.x) or to Extensions -> Install/Uninstall(for Joomla 1.5.x) .
3. Upload this package file and Install.
4. Now go to Mambots -> Site Mambots ->akJoomGallery or Extensions -> Plugin Manager->content – akJoomGallery and publish/enable the plugin based on the version you are using.

Now, enjoy the simplest image gallery with lightbox effect.

How To use

The concept is simple, next time when you are adding a image in the post or page, just remember to link you image to full size image, or to image that you want to show in the Gallery. You may want to check “title” attribute of anchor tag, this will be displayed below the image as caption in the image gallery.

Here is an example.

<a href="images/stories/joomla-dev_cycle.png" title="joom development"> <img src="images/stories/joomla-dev_cycle.png" border="0" /></a>

“title” in anchor tag will show below the images in the gallery, while “href” is the link to bigger image that needs to be shown in the gallery.
At the end of content item/page just add {akgallery} to tell the plugin that this page contains images that needs to be shown as gallery.

This mechanism gives you, the content writer, more control over way thumb images are being displayed on the page. You choose and format you images in the gallery page. Once the user clicks on the image it opens all the image in a javascript based gallery with lightbox effect.

Credits

I will say all credit goes to Stephane Caron for creating, simple to use, prettyPhoto plugin that made this possible.

Please leave a comment if you need any sort of help with this plugin.

Update(13-7-2008): Fixed issue identified by Kim and asdftiger in comments below. I would like to thank asdftiger for help provided for identification of the issue. Links above(in how to install section)  now points to updated version.