Yesterday I had a look at mod.email.php – the Email module of ExpressionEngine CMS.

It appears that it is very easy to use ExpressionEngine’s contact form (which uses Email module) to send emails to arbitrary addresses – simply put, send spam using someone’s EE.

And here’s why:

• recipients hidden field is passed to the client; it is encrypted, but with access to the mod.email.php code, it is a matter of several minutes to write your own email-encoding function which will produce a completely valid recipients field
• there’s also XID field, which seems to be unique for each page load

Spamming algorithm is clear, so I won’t elaborate. (I could have missed some session variables, though – didn’t check them.)

This information is valid as of ExpressionEngine 1.6.6, but nothing in the change-logs indicates that this mechanism was modified in the newer versions of EE.

Update: I’ve tested, and this vulnerability does exist. The simplest prevention measure is to enable Captcha for Contact Form.

I’ve notified the developers.

It was only today that I’ve noticed Microsoft Office Live in Available updates (using Microsoft update). Curiosity led me to find out that Office Live is a suite of online word processor, presentation editor, spreadsheet and note-taking software, limited to a 500 MiB diskspace – free, developed by Microsoft. Office Live appears to be built on top of SharePoint.

Main emphasis of their website is on collaboration and access from anywhere to your documents. Although Firefox (together with IE) is listed as a supported browser on XP/Vista/MacOS (Linux is not listed), there is a note that some Office Live features require ActiveX. So Office Live is not really a match for Google Docs in portability (quite expectedly).

An update installs some new menu commands into Office XP/2003/2007, which allow working with Office Live from within your local M$ software.

I wonder if there is already an OO extension which allows working with Google Docs – no more wondering, here it is (thanks Paolo!).

Came across typealyzer, which allows to “determine” the blog author personality.

Mine is ESTJ – The Guardians:

The organizing and efficient type. They are especially attuned to setting goals and managing available resources to get the job done. Once they´ve made up their mind on something, it can be quite difficult to convince otherwise. They listen to hard facts and can have a hard time accepting new or innovative ways of doing things.

The Guardians are often happy working in highly structured work environments where everyone knows the rules of the job. They respect authority and are loyal team players.

Typealyzer currently supports only English and Swedish blogs.

I’ve seen someone reading my blog from a 320×240 handheld device, and realized that it must be pretty inconvenient. Testing my blog with the help of ready.mobi confirmed my worst expectations with a mobile-readiness score of 1.

I’ve installed and then tested one-by-one a series of WP plugins designed to make your blog mobile-accessible. Testing was done using ready.mobi; all plugins were using default settings – except for viewMobile, which had Images option set to Resize, not Keep As Is.

On Mobilize by Mippin plugin ready.mobi exited with error “Could not retrieve page content”, which is no wonder as Mippin plugin redirects the handheld device’s browser to mippin.com, which converts the page into mobile-accessible form (however, it is indeed strange that mowser.com plugin worked fine, though it is also a redirector). I’ve used mippinmaker to estimate what would my blog look like via mippin – and it appears to me that mippin is using my RSS as the source of content; actually, plugin description explicitly states that. I’m sure this would get real high scores on ready.mobi, but I can’t find the way to test that; thus Mippin plugin didn’t participate in the final feature-based comparison.

viewMobile plugin is a clear winner best by score in “plugins” group – it has the highest scores in the feature table (well, after mowser plugin, which is not a plugin but a redirector to an external service). Also, in addition to “keep as is” and “downsample”, there is an option to “strip” images – I presume that would bring the page size further down. However, viewMobile removes comment forms from posts; at the same time, PDA & iPhone plugin preserves comment forms – thus it is better for my purposes.

The mowser-based service has even higher scores than viewMobile – but is an external dependency. For my blog, I decided to stick to PDA & iPhone plugin. Also, such a low page size (see table) is due to mowser splitting the tested main blog page into two pages – and ready.mobi then only weighs the first (much smaller) page; so there is no benefit in page size when using mowser.

Please comment to share your experience of turning your blog mobile-accessible, or of reading my blog from handheld/mobile devices.

P.S. If you are used to visiting websites and blogs from your handheld device, and those sites/blogs are not optimized for mobile devices, I’d recommend using the free mowser service (though Opera Mini is easier, I guess).

P.P.S. This post wasn’t sponsored by mowser or any other mentioned services

Important update: clearly, viewMobile and any other PHP-level mobile accessibility plugins are incompatible with SuperCache. So either (super) caching, or mobile version – but not both. I’ll have to look into possible solutions.

Update 2

A “clever” solution would be to have a subdomain or even a different TLD domain for the mobile version of the blog (to avoid SuperCache interference – ideally, both database and files would be the same, but some tiny bit of configuration would make all the difference; the easiest tiny bit would be a mod_rewrite rule). Another good solution would be to modify SuperCache’s mod_rewrite rules, so that mobile User-Agents aren’t fed cached versions – and thus viewMobile has a chance to trigger and serve correct version (this solution doesn’t require another domain or subdomain, but is less reliable).

I’ve tried mowser plugin, but it suffers from the same cache interference problem (because it is also PHP-level, and SuperCache works at apache and mod_rewrite level). For the same reason, PDA & iPhone plugin wouldn’t work as well.

For now, I’ve disabled SuperCache (leaving WPCache on), and turned on PDA & iPhone plugin (unlike viewMobile, it does show the comments form below each post). Seems working. Will look into domain/mod_rewrite solutions.

Update 3

SuperCache is back on, except for a list of mobile User-Agents; those User-Agents were also added to SuperCache’s UA exclude list. Thus now if a “normal” browser requests a page, such a request is cached, or a cached page is fed to the browser. If the mobile browser requests a page, it is not fed a cached page even if one exists, and cache page is not created while running WP’s PHP engine. Tested using both built-in browser (I could even fill in captcha while commenting) and Opera Mini on a Samsung phone: seems to work fine. However, all of ready.mobi’s phone emulators for some reason choked on the comment form’s textarea, refusing to display the page. I ignore this but if compliance is important then viewMobile will be a better choice than PDA & iPhone.

Drawbacks of this solution: 1) mobile requests are not cached, 2) if the mobile browser’s User-Agent is not in the list, then it will be fed a standard-looking page, 3) hard to maintain – need to update both the list of UAs in .htaccess and in the configuration of SuperCache.

Better solutions are welcome.

To cut the long story short: for the final evaluation, I had this line of control panels:

• SysCP
• Domain Technologie Control, DTC
• Virtualmin (also Webmin, Usermin)
• ISPConfig
• RavenCore (no longer developed)
• GNUPanel

SysCP: looks good to me (though demo isn’t functional), has customer billing module. Unsure as to where it is used, but most probably sponsors are also the users of SysCP. Majority of support forums are in German.

DTC: has no demo, only some screenshots. Has a set of packages for Debian lenny (which is a huge plus for maintenance and future upgrades). DTC is being developed by GPLHost, and is also used by GPLHost – so this is a live (used) distribution. Seems quite feature-rich.

Virtualmin claims to be the “world’s most powerful and flexible web server control panel”. Virtualmin offers 4 means to control it: Web, mobile device, command line, and remote API. There are both screenshots and demo. Has both GPL and Professional versions. GPL version has a number of limitations, comparing to Pro version. From what I’ve read about Webmin (all three – Virtualmin, Webmin, Usermin – are just different “layers” of server control), it is a framework with a number of “interface scripts”, which allow to control various services. As such, it is easily extendible, but is not monolithic – in the sense of module inter-dependencies and action triggers.

RavenCore was a promising CP.

GNUPanel is a year-old control panel, but has a news item on the front page (dated August, 17) promising new, completely rewritten release somewhere in October. By the feature list, looks promising. However, I need the panel right now, and even in October, that will be quite a rough release, not really used/tested anywhere, so not a good option as well. But GNUPanel is a panel to check in half a year for progress.

As the final choice, I had ISPConfig (which seems to be the best by people’s comments), and which is also quite widely used, and is easy to install onto Debian (at least the Perfect setup: Debian Etch says so), and DTC. I discarded Virtualmin (for the poor functionality of the GPLed version), RavenCore (for the lack of current descriptions and non-functioning demo), GNUPanel (which just isn’t ready yet), and SysCP (because ISPConfig seems better ).

As DTC has Debian packages (and will be easier to maintain/upgrade), I decided to try it first. I already have it installed (that’s easy, esp. if you first read the DTC Debian Express Setup). Later I might post my impressions from using DTC.

Update: DTC is indeed easy and pleasant to use. I had problems allowing FTP and SSH access using MySQL authorization, but at least FTP was an easy one to fix (SSH access with MySQL authorization is still unconfigured, but that’s a low priority for me). There is a minor concern about the files and directory permissions setup, but thanks to chrooted environment that is only minor concern. Use of a single Apache installation for hosting admin and serving user sites might be a sub-optimal decision, but it works. Traffic and disk space accounting are plain superb! Server memory use for the dtc-toaster installation is troublesome, but for a powerful RAM-my server that is not a problem (I now have about 800-900MiB RAM occupied, but that includes the XCache’s cache, quite big MySQL cache, and loads of Apache and PHP modules).

But I’m still willing to try other control panels. As I expected, GNUPanel hasn’t released anything yet; Ravencore‘s online demo is still unfunctional; ISPConfig has recently released RC (and their demo is working as it should and as it used to); SysCP is also up and running fast. If my little hosting service starts pouring in some cash, then I’ll try SysCP on my second server – to compare it with DTC, and choose one of them for further support/extension/localization.

I’ve tried it already under Windows, but as my main OS is Debian, I can’t use it

You can sign up for updates on Linux version.

After reading the Google Chrome book, it is a long time waiting for it to be released for Linux….

Also, I’m looking forward for the plugins to enhance Chrome. Although it did import my settings/passwords(?!)/bookmarks from Firefox, but it has no Foxmarks, AdBlock and some other goodies I’m now used to on all the computers I regularly use.

Update: as of FireFox/IceWeasel 3.0.14, this bug appears to be fixed.

When right-clicking many links in FF3/IW3, it quite often happens so that a random action is performed instead of opening the context menu (bug report).

One of the solutions work-arounds (suggested by Andre Pirard) is to slow-right-click, that is to hold the right mouse button down until the menu actually appears, then – and only then – release it. Or, you can even slow-right-click, move the pointer over the desired menu item, and then release – that will perform the desired action in a single long right click (instead of more common single right click with a following single left click.)

Alternative workaround (found at the bug report page): install the mouse gestures add-on, and restart firefox. Tested: works for me.

This bug/behaviour is otherwise unsolved.