Tag: drupal

Drupal community in bondage

The Drupal community has been whipped into a fury after a prominent contributor was asked to leave the project by its leader, Dries Buytaert because he was into BDSM.

Larry Garfield, a prominent Drupal contributor and long-time member of the Drupal and PHP communities was forced out over his unconventional sex life. Garfield is into BDSM, and is a member of the Gorean community, “a community who are interested in, and/or participate in, elaborate sexual subjugation fantasies, in which men are inherently superior to women”.

While that might not float anyone else’s boat, apparently it harms Garfield’s ability to code and he must be cast out of the open saucy world.

There are some who feel that the ability to code is not really dependent on how you have sex and it is Buytaert being far too much like a dominant control freak.

Buytaert said there were no 50 shades of grey in his project and the removal was black and white, It was “because it came to my attention that [Garfield] holds views that are in opposition with the values of the Drupal project,” he hissed.

Buytaert said that when a highly-visible community member’s private views become public, controversial, and disruptive for the project, he must consider the impact. Of course that applies to Garfield and not his views, which strike us as a little puritanical.

“I cannot in good faith support someone who actively promotes a philosophy that is contrary to this …any association with Larry’s belief system is inconsistent with our project’s goals,” he said. The project’s goal is about writing a bit of code to get content up on a website it does not appear to mention anything about sexual preferences at all.

Over at the site the following statement has been printed:

“We want to be clear that the decision to remove Larry’s DrupalCon session and track chair role was not because of his private life or personal beliefs. The Drupal Association stands by our values of inclusivity. Our decision was based on confidential information conveyed in private by many sources. Due to the confidential nature of the situation we cannot and will not disclose any information that may harm any members of our community, including Larry.”

But what is alarming here is that somewhere there is apparently a moral code of sexuality which developers are not supposed to cross – Open Source is not open after all but subject to the moral code of the person who runs the project who apparently does not want to use a safe word.

Drupal floored by poor update security

drupal-panicWeb content management studio Drupal is flawed by several bugs in its update process which could allow hackers to take over the sites the CMS creates.

Drupal is not as popular as WordPress but is used by some fairly serious content businesses. Now IOActive’s Fernando Arnaboldi has warned that there are three major flaws in Drupal’s update process that may allow attackers to poison Drupal installations via update packages.

In the worst cases, even servers can be taken over.

Drupal can be updated from its backend administration panel, just by pressing a button. The CMS is also fitted with an automatic update checker, for both its core and its modules. This lets admins know when a new version is out and allows them to quickly apply the update package and move on to other more important things.

The first problem is with failed update queries. Because of various connectivity issues, Drupal sites may sometimes fail when checking for an update. When this happens, the CMS prints the “All your projects are up to date” message, instead of clearly stating that the update has failed to complete.

Attackers could flood local networks with traffic when an update process is taking place, forcing the CMS to print an erroneous update status in the backend.

The Drupal admin might think their site is up to date when in reality it remains vulnerable for tens of dangerous bugs, which can quickly add up when not keeping the CMS properly updated.

Arnaboldi said that the second issue has to do with the “Check manually” button included on the Drupal update page. This button allows the site’s administrators to check for new updates on command, and later apply the update. This  button is vulnerable to CSRF (Cross-Site Request Forgery) attacks.

“Administrators may unwillingly be forcing their servers to request unlimited amounts of information from updates.drupal.org to consume network bandwidth,” he wrote.

The third flaw is more critical and has to do with the fact that Drupal’s update process is unencrypted. By sending everything in cleartext, an attacker present on the local network in the form of an infected computer can sniff out traffic between the Drupal CMS and the drupal.org servers, and detect when an update process is started.

The hacker can launch a simple MitM (Man-in-the-Middle) attack, spoof communications, and send malicious update packages to the CMS instead.   Arnaboldi used the third flaw to backdoor a Drupal update on a test website. He packaged a reverse PHP shell that gave him access to the Web server running the CMS, and later extracted the MySQL database’s username and password (image below).

What is weird is that Drupal had known of this issue since 2012, but only recently reopened discussions on fixing the problem, after Arnaboldi made the announcement.  It still does not have a fix but is apparently working on it.

Drupal 8 goes "round the horne"

Drupal’s creator, Dries Buytaert has been talking up the open saucy projects latest offering in the style of Round the Horne’s Julian and Sandy.

Buyaert, who probably has never heard of Round the Horne, has been saying that the new version of Drupal 8 will be “bold”. If he had, he probably would not have used the phrase.

Buyaert said his bold new creation may not be out by the end of the year, and will be available whenever it’s ready. 

This version will have an incorporation of elements of the Symfony2 Web framework as Buytaert continues to try and take the software away from being a content management system towards a unified web platform that organisations can standardise on to build web-based services, for both internal and customer focused sites.

According to Computerworld, Buyaert wants the software to deliver an organisation’s key corporate websites to intranets, smaller-scale sites built for one-off events and other public and internal web tools.

Part of the problem is that big companies have dozens of websites and organisations have frequently ended up using point solutions for different websites, ending up with multiple platforms to deliver a corporate website.

He said that there was a real desire in the market right now to simplify that and standardise on newer systems and that is where a bold Drupal fits in.

Buyaert claimed that there were more organisations saying we’re just going to standardise on Drupal because they don’t need to have engineers that have different skillsets, it can just make a Drupal team to maintain all of the websites.

Kill your trolls with Drupal's Misery

The online content management system Drupal has just penned a natty module to deal with trolls who attack your website.

The software, called Misery, provided web owners with the power to punish the trolls with a list of sanctions that would probably even make Gaddafi surrender.

Misery is supposed to be an alternative to banning or deleting users from a community. It punishes them and means that the web owner has the pleasure of knowing they are suffering.

The module allows you to create a random-length delay for the troll visiting your site. This would give the appearance of a slow connection. It does this 40 percent of the time which means that it will probably be OK after they have called their ISP’s technical support to find out what the problem is.

Another punishment is to present the user with a white screen 10 percent of the time or to send them to the wrong page.

Misery can also send them to a random node accessible by the user or get a 403 Access Denied page. Another good one is a 404 Not Found error.

Since this will happen 10 percent of the time, the troll will assume that the problem is at their end.

Our favourite is an “error” which means that forms will not submit 60 percent of the time.

If the troll is still using Internet Exploder 6, Misery can crash their browser. Since anyone using IE 6 is used to having their browser crash, they will think nothing of it.

After a while, the troll will subliminaly associate your site with pain and go away. That is the theory of course, however some of the trolls at TechEye would need to be zapped with at least a trillion volts several times before they would leave. 

Joomla! Catches the Irish software fancy

Joomla describes itself as an open source content management System (CMS) which has gained such  popularity since it appeared  in  September 2005  that web designers and entrepreneurs increasingly  regard sites built around it as standard issue. 

The great advantage for any business updating or redeveloping a web site using a CMS is that once the site has been built, updates can be done in-house by staff with little or no technical knowledge.  This means that companies which update content  on their web sites regularly can save a great deal of money by using a CMS such as Joomla

And because content on CMS-based sites can be updated more frequently,  organisations with CMS-based web sites are likely to be ranked higher by search engines than competitors with sites where content is not updated as often.   

However, some Joomla! developers have reported problems  optimising pages to interact with search engines.

So why has the Joomla!  CMS become so popular when a Wikipedia search   reveals  that there are  a host  of  rival content management systems  such as  SilverStripe, Drupal and WordPress, many of which are also open source?

And how easy is it to find people in Ireland with experience of using the Joomla CMS to  build sites ?  We talked to Irish Joomla developers to  find out.

Sean Owens is Managing Director of Willows Consulting, which claims to be the longest established Joomla! development business in Ireland

After working for Oracle, Owens went on to found Willows Consulting in 2003, an Irish web development agency that now provides clients with a Joomla! CMS as standard.

Willows Consulting specialises in the development and customisation of web-based open source applications. It is headed by Owens and Aine Williams and employs a staff of seven people across Ireland and Poland.

Willows Consulting has a client base of more than 150 companies and it also provides training in open source application development.

Willows Consulting used Joomla in a 2007 website redesign and development for CityJet which aimed to create a clear site with a professional look and feel that reflectedthe client base. That site included a full featured on line document manager that allowed suppliers to access documents and images from a secure central repository and advanced traffic analytics which allowed the airline to identify emerging trends on the web and  to maximise benefits from them.

“The CityJet site proves that open source web based solutions are now of a standard to deliver serious cost savings to large organisations while not compromising on quality,” Owens said after the site went live. Willows has also used Joomla! as the basis for a corporate intranet for  Bord Na Mona the Irish semi-state body that controls turf harvesting.

With  IT budgets in Ireland being cut by around 20% on average, thanks to the recession, Owens says that Joomla! is becoming increasingly popular with  Ireland’s semi states.  It is also reported to be increasingly popular with public sector organisations in the UK and across Europe.

“When the Mambo development forked, a lot of the brains went to Joomla!, while some of the brawn stayed with Mambo. Joomla! has a very active development community behind it, while Mambo’s last release was in 2008,” commented Sean Owens, who began working with Joomla when the CMS was called Mambo.

Owens offers a word of caution to corporates preparing to dip a toe into the world of Free/Libre Open Source Software (FLOSS): “Open Source products should carry a health warning saying because this is free software there are no guarantees – you are taking a risk. You will find people on message boards ranting about problems they’ve encountered that they can’t seem to get fixed. They act like they paid for it, but they forget the investment from them was zero. It’s the spirit of open-source.” says Owens.

Corporations planning to build a complex site can also consider using some of the excellent plug-ins and templates available for purchase, as apart from cutting development time, they are likely to have been more rigorously tested than free components. However, Owens adds another cautionary note about using Joomla Add-ons – “We would be reluctant to use very many add-ons, as in many cases they alter core files and nail you into that product structure,” he explains.

Owens is looking forward to the beta release of Joomla 1.6, which is currently in Alpha testing. He believes that Joomla 1.6’s enterprise features will make it very attractive to corporate users. It will be possible to limit users to modifying particular areas of a site’s content. For instance, only accounts personnel would be able to modify entries in the accounts parts of the CMS, while other areas could be restricted to senior management, or other departments.

Willow Consulting is busy despite the downturn. Last quarter  it launched several Irish sites, including zuva.ie,  an independent valuation site, artglass.ie  for a  company making architectural glass installations and  a site for, the Haiti house building charity havenpartnership.com.

Irish web designer David Monaghan founded Fluid New Media in January 2008 after 12 years experience in the creative industries . He began using Joomla! after exploring various ways to edit content online. “The main advantage for clients of using a CMS such as Joomla!, is that anyone can make changes to their own web-content, even without any technical knowledge and at no additional cost.“

Also, because no user licence is required for Joomla! this further reduces the cost to the client. Instead of trying to hide this from customers, Monaghan actively promotes it:

“At Fluid New Media we embrace Joomla! software and pass the benefit and value onto our customers by producing a website that exactly meets their requirements, while providing full support if they need it. We offer each new client a free consultation to establish their needs before deciding whether to base their site on a Joomla! Platform, ” he explains.

Monaghan uses many of the 3,500 Joomla! plug-ins that are available, to provide his clients with shopping carts, podcasting and event registration facilities.

While around 60% of the add-on components that now exist are still free, a very active market has developed with paid-for plug-ins and the open source community now charges for about 30-40% of the Joomla! add-on components that exist. One of the most popular is Virtuemart, an eCommerce plug-in.

Specialist code development companies such as iJoomla also produce commercial add-ons which can save developers lots of time. For instance, iJoomla has just updated its popular Ad Agency component by releasing a new version which can retail for as little as $79.

So why use a web designer with Joomla! experience rather than learning how to use Joomla! yourself? According to Monaghan:“The benefits of using our service are clear; – it’s down to time. Our clients don’t need to spend their valuable time mastering this product. Instead they can leave the development stage to us and divert that time to sales. Our knowledge of the product ensures that all of its functionalities are exploited to the optimum to meet customer requirements. Once the site is delivered, clients can keep their content fresh by updating it themselves”.

“Developing a websites can be a daunting prospect and we aim to keep it as simple and engaging as possible for customers. The highest compliment paid to us is that the majority of our customers were recommended to us by others.”

Emmet Dunne, co- founder of   Dublin based web development agency Kooba.ie is another Joomla user who is busy depite the recession. “We have worked on a few Joomla! projects for a number of our clients,” Dunne said . “It is a great tool, but the benefits of using it depend on the requirements of the website. For large projects with quite specific requirements, it can be more cost effective in the long term to develop bespoke content management tools, as opposed to using Joomla.”

Other Joomla developers agree that  the  Joomla CMS requires a steep learning curve. One Twitter user said  that while one could become reasonably adept with it in a short time, it takes about a year’s experience to  really  master it.

A short history of Joomla
Joomla is written in the PHP programming language and uses the My SQL database to store information. Joomla results from a fork of the Mambo  open source CMS which occurred in August 2005.

Before 2005, what is now   the Joomla  CMS was known as Mambo. The Mambo CMS was  first developed in Australia as a proprietary software package but was released  as open source software in 2002.

The Joomla CMS emerged  in 2005, following the decision of Miro International  to trademark the Mambo name and form a non-profit foundation, when Mambo  developer Andrew Eddie posted a letter to the open source community on the Mambo web site. The   entire Mambo development team left Miro and created a web site called OpenSourceMatters to distribute information to  Mambo users, developers and web designers.  This generated a lot of controversy in the open source community about  the meaning of open source software. Within a day,  more than a thousand developers had joined the project.

After gaining the  support of Free software campaigner Eben Moglen, who founded the   Software Freedom Law Centre (SFLC), the  team renamed  the mambo Fork  Joomla, which comes from the Arabic word jumleh, meaning “all together” or “as a whole“. Version 1 of Joomla! Was released on  September 1st 2005.

Joomla! won the Packt Publishing Open Source Content Management System Award in 2006 and 2007. Johan Janssens, elected by the Joomla community, led the development of Joomla 1.5, which was released on January 22, 2008.

The most recent stable release is  version 1.5.14, released in July 2009. 

In June 2009 an alpha version of  Joomla 1.6 was made available for testing .     According to the website of Brian Teeman, one of the co-founders of the Joomla project, nobody knows when  Version 1.6 of Joomla will arrive, but this is no reason to  delay starting a web project based on  Joomla, as  most of the functionality needed will be in  Version 1.5.14.