Moa

As seen on the front page, we've been patching!

I don't think it was a major issue personally. Obviously being vulnerable is, but the particular method used for the remote code execution relies on very outdated and minimally secured server which should be almost non-existant.

To test we had fixed the problem we first had to set up a weak server. I turned off the php options on my local install... and the exploit still didn't work. Because of the flavour of Linux I use, Apache has extra security built in that wouldn't allow them to be off anyway (Suhosin). So I tried my live web server VPN and that had the options turned off by default (I'm not going to turn them off there as I have other sites running). My old web host that I still have a site hosted with, also secured. Eventually Rich got his Apache crippled enough to be exploitable and we could test it with and without the patch. My point is that even trying to be insecure still took us 4 attempts on different servers to succeed (or is that fail?). This method of PHP exploit is well known and you really do have to go out of your way to be a target.

Anyway, It's taken a chunk of time out of the new 1.2.1 development. These two security patches have been ported over to 1.2.1 now as it is different enough to not be mergeable due to the config system upgrades. The config is finished in both templates and fully working. It does still need adding to the installer though. We also added .gif and .png support as it was fast to throw in. There are a few more non-feature bits to do, mainly tidying up so almost there.

Hitting the ground running again after 1.2.0 and made a start on the first of the new features - a config screen.

We have shifted all of the main config variables out of the file they were in and they will now live in the database instead. The database config vars obviously will stay in a file, and the main config.php is able to override any of the database vars if needed. We specifically want this functionality after I had to set up a forum once to have two installations using the same master database for shared messages. It is nasty trying to hack that functionality into a system so we are providing this simple way around it. The config page will only save to the database however so changes to a second frontend install will have to be done manually, but anyone doing that would know what they were doing anyway.

We have the config page added and a form built and styled in both templates. Next up is writing the server-side part to save the new vars and javascript to verify them before a submit and hide/show the different sections.

I spent this evening working on a design for a new Joomla template for moagallery.net as well. The current one was only ever meant to be temporary but we wanted to get 1.2.0 out before starting on a proper one. Several bits need changing on this - I don't like the sf logo where it is, the text is all a bit too big and the news box is not styled in any real way yet. But as a preview of what we are aiming for it should be ok.

Looks like someone didn't bother to check if Moa was already in use as a software title - http://www.moa-express.com/ - At least we spent some time checking it wasnt used first before settling on Moa.

Still working on the second template atm. The last two months have been busy for both of us so not as much done as would have liked. We redid parts of to make sure it was semantically correct and just putting the finishing touches to the look now. Then got to revisit the original version and check that is semantic as well, then should be good to release.

We have decided that we will go with the new numbering method and that this template system will actualy be 1.2.0. Then following up with the options screen, a third template and few other bits as 1.2.x releases.