Board index PBase News javascript disabled.

News

javascript disabled.

slug
Site Admin
Site Admin
 
Posts: 598

javascript disabled.

Post Tue Jul 10, 2007 6:35 am


Apologies, but due to cross-site scripting vulnerabilities, we have been forced to disable javascript entirely.
We very much regret limiting your ability to use javascript to enhance your site, but cross-site-scripting would easily allow an attacker to steal cookies and gain access to many PBase accounts.
You can read more about this type of attack at http://www.cgisecurity.com/articles/xss-faq.shtml

We will be looking for a solution so that you can continue to use your stat counters and other javascript features.

We've been avoiding this action because we would like for you to have the flexibility that javascript can offer.
Unfortunately, this kind of attack is so easy to implement, and the possible damage so great, it would be negligent for us to ignore it.


One of the most common uses of javascript is by people who enable various statistics services on their pages.
We hope we can come up with a method to at least allow the necessary javascript for some of the more popular stat counter services.

For the time being, on galleries with javascript has been removed, you will see a explanation message if it is your own gallery so that you will be alerted to the change.

Again, we're truly sorry for the sudden change and the affect it might have on your site, but we really have no choice.

Thanks to Erik Persson for pointing out to me how much of a risk this is.

-Chuck Neel
slug@pbase.com

nordic
 
Posts: 58


Post Tue Jul 10, 2007 7:09 am


thanks for letting us know, just wondered why this site is still running a frontpage slideshow?

http://www.pbase.com/oochappan

nordic

andrys
 
Posts: 2701

Re: javascript disabled.

Post Tue Jul 10, 2007 7:19 am


Slug, it should be hign on your priorities to give such a basic ability.

Since you can code in IF 'statcounter' style conditions, it shouldn't take too long. Already SmugMug not only supports it but encourages use of statcounter and helps people use it. Why can they do so many things you can't. You've been around longer.

With this, the site is falling behind again, relative to other sites, which is very discouraging.

Worse, now the Luis Bunuel slideshow is not working either, for so many of us who put time into this. It was a plus of this site that we could control these things. Now, there's less reason to keep us here when search tags don't work, we can't use statcounters, nor our own slideshows which you must know are harmless and can be controlled through conditional programming.

I'm not asking you to allow javascript willy nilly but to make a table of okay ones or conditions that you can control, as the other sites do.

I don't give a fig about buying prints with expensive frames, which is what has appeared to take so much time away from fixing basic features here. I'm a fan of PBase but that's going to QUICKLY fade unless you guys find a way around this. We already spend a lot of our time trying to help you avoid spam on your site that lowers the value of your site to people viewing.

Now your workaround is again to take away the main feature - flexibility - that you have over other photo places.

We hope we can come up with a method to at least allow the necessary javascript for some of the more popular stat counter services.


You're better than that. You can do it and should make it first priority (outside of displaying photos). Thanks for trying to do this as soon as possible.

Again, we're truly sorry for the sudden change and the affect it might have on your site, but we really have no choice.


Sure you do. Do some programming of OKAY javascript to run.
Certainly statcounter is one of them.

srijith
Moderator
 
Posts: 2321
Location: Amsterdam

Tricks that will not work any more

Post Tue Jul 10, 2007 8:05 am


Toggling gallery description visibility - http://forum.pbase.com/viewtopic.php?t=19880
Right-click disable - http://forum.pbase.com/viewtopic.php?t=29799
Automatic processing to achieve larger thumbnails - http://forum.pbase.com/viewtopic.php?t=31816
Last edited by srijith on Tue Jul 10, 2007 8:33 am, edited 2 times in total.

andrys
 
Posts: 2701


Post Tue Jul 10, 2007 8:30 am


srijith,
Some of us who do travel do want to provide info also. I've modified my front page to eliminate the javascript. What a wholesale crippling.

kerrym
 
Posts: 311


Post Tue Jul 10, 2007 9:05 am


Well, I'm really disappointed. Have spent hours getting that slideshow going, and haven't got time to put in hours again. Neither have I time to do the research and read up all these links you're going to give us.

I need you guys to sort it, and let me have my creativity showing back on my homepage.
Kerry Mitchell NZ
http://www.pbase.com/kerrym

andrys
 
Posts: 2701


Post Tue Jul 10, 2007 9:15 am


nordic wrote:thanks for letting us know, just wondered why this site is still running a frontpage slideshow?

http://www.pbase.com/oochappan

nordic


I guess shockwave flash running something offsite is okay.

I wish they'd let Statcounter run THEIR code on *their* servers by
just making some kind of conditional statement to allow that specifically.

flemmingbo
 
Posts: 435
Location: Denmark, Copenhagen


Post Tue Jul 10, 2007 10:01 am


I feared this would happen someday, and that is the prime reason why I haven't implemented Luis' great slideshow code.

This is very bad news, I do agree that cross-site scripting is dangerous but you have to very very quickly create a work-around for this so things like the slideshow and statcounters will work. Otherwise you will have a lot of really disappointed customers who may look elsewhere.
Flemming Bo Jensen Photography
Gallery: http://www.pbase.com/flemmingbo
My photography blog: http://flemmingbo.wordpress.com

luchoogenstein
 
Posts: 1


Post Tue Jul 10, 2007 10:04 am


Too bad pbase didn't send a notification about this action, so that we could take some action of our own. Now (at least at my site) there is a big black square where there used to be a slide show, which doesn't look very appealing.
I hope there will be some alternative way to get the side going on again, and that you let us now how we can get the opening page running again as it should be.

regards,
Luc

madlights
 
Posts: 914


Post Tue Jul 10, 2007 10:34 am


I had noticed that in my comments I'd been getting some with almost like 5 letter codes such as
abckd bedgh prexp obegk flepk

I had let a couple stand for a few days. One was from Mexico and think a couple were of Russia email addys. I noticed when javascript was disabled that they disappeared. Would these have had anything to do with the scripting vulnerabilities? I always wondered what those types of messages were..and usually I'd delete them immediately?

andrys
 
Posts: 2701


Post Tue Jul 10, 2007 10:41 am


luchoogenstein wrote:Too bad pbase didn't send a notification about this action, so that we could take some action of our own. Now (at least at my site) there is a big black square where there used to be a slide show, which doesn't look very appealing.
I hope there will be some alternative way to get the side going on again, and that you let us now how we can get the opening page running again as it should be.

regards,
Luc


Luc, if you know some HTML you can put a picture there. See my 'new'
front page for an example. It's a placeholder in case they somehow
re-enable this capability. In the meantime, I used the slideshow code
and made a facsimile of the working slideshow-page and put it on my
own website, and clicking on that page will lead people to the photo
galleries here. At least the slideshow work won't be completely lost.

madlights
 
Posts: 914


Post Tue Jul 10, 2007 11:43 am


Oh yeah....I'd like to thank PBase too for the immediate message to us...one that we would not miss. People have been asking for updates as to what is going on like this for a long time...so although regrettable that the scripting has to be disabled...thank you for the immediate notification in our galleries.

arjunrc
 
Posts: 1003


Post Tue Jul 10, 2007 11:55 am


I don't get it. The site linked in the announcement has existed for a long time and most of the attacks rely on the fact that the JS code may be allowing for inputs from the user and not html-encoding the output which could potentially. This also means, that sites like statcounter, should they want, could potentially steal our cookies using this mechanism.

However,

1) Statcounter is 'generally' regarded as a trusted site - this is not really a strong argument, but I wonder why this should only be a concern for PBase (not considering statcounter a trusted site).

2) I don't see how embedding inline JS, which accepts no user input and does not link to any external source is vulnerable, at least with XSS attacks.

To summarize, anything goes under the requirement of security. But PBase is a photo-hosting site like hundreds of others. We don't store bank information here. The absolute worst that could happen would be if a user
does inject XSS vulnerable JS (not just ANY JS), he *might* have his personal photos stolen.

I would think it is a matter of making the right level of adjustment and recognizing that PBase is but a photo hosting site.

regds
arjun
--
I don't check forums very often these days, so if you need to get a response from me, please send me an email (see my profile) and NOT a PM.

srijith
Moderator
 
Posts: 2321
Location: Amsterdam


Post Tue Jul 10, 2007 12:15 pm


arjunrc wrote:I don't get it. The site linked in the announcement has existed for a long time and most of the attacks rely on the fact that the JS code may be allowing for inputs from the user and not html-encoding the output which could potentially.

5 years to be precise! Given this what comes across as odd is that PBase decided to withdraw 'support' completely, without warning one day and what a way to announce it - in the forums! Come on, for heaven sake. You have email address of almost all paid members in your db. The least you could have done was to let us know by email and given us a couple of days to sort the things out and not end up with broken galleries! A new low in customer support.

To summarize, anything goes under the requirement of security. But PBase is a photo-hosting site like hundreds of others. We don't store bank information here. The absolute worst that could happen would be if a user
does inject XSS vulnerable JS (not just ANY JS), he *might* have his personal photos stolen.

I would think it is a matter of making the right level of adjustment and recognizing that PBase is but a photo hosting site.


Arjun, I do not completely agree with you that just because it is a photo sharing site, it is ok to be lax about security issues. If someone had indeed gotten hold of user cookie information and gained access to multiple accounts, the PR nightmare that PBase faces would have been pretty bad too.

The sudden and complete removal of JS support is what irks me. Couldn't PBase use a user's 'good' record (paid membership for atleast a year or something similar) to provide some support? As others have mentioned, couldn't they allow JS from Statcounter and other similar 'trusted' services?

andrys
 
Posts: 2701


Post Tue Jul 10, 2007 12:17 pm


arjunrc wrote:I don't get it. The site linked in the announcement has existed for a long time and most of the attacks rely on the fact that the JS code may be allowing for inputs from the user and not html-encoding the output which could potentially. This also means, that sites like statcounter, should they want, could potentially steal our cookies using this mechanism.


Do you mean the latter would be true IF the code allowed for input from
the user (which it doesn't) ?

1) Statcounter is 'generally' regarded as a trusted site - this is not really a strong argument, but I wonder why this should only be a concern for PBase (not considering statcounter a trusted site).


Right.

2) I don't see how embedding inline JS, which accepts no user input and does not link to any external source is vulnerable, at least with XSS attacks.


Right. Have you considered writing Slug, in case he doesn't come back
here to check for responses? I think it's a very important point.

I'm paying for my statcounter due to not wanting to download the
log every 6 hours. So PBase has made my payment get me zero-data.

To summarize, anything goes under the requirement of security. But PBase is a photo-hosting site like hundreds of others. We don't store bank information here. The absolute worst that could happen would be if a user does inject XSS vulnerable JS (not just ANY JS), he *might* have his personal photos stolen.


The photos we openly show anyway? But yes, the password-protected
ones would be an add'l problem IF user-input was part of the code.

The statcounter code is entirely inline and doesn't ask for input, as you
point out.

I would think it is a matter of making the right level of adjustment and recognizing that PBase is but a photo hosting site.


Thanks for the cool logic here. Maybe Slug will explain why he may
feel even inline code with no input is to be disallowed. Or is it that they
don't want to code conditional allowances for statcounter code etc.
I saw how difficult that was for the Show & Tell forum's short-term
post-counter last month.

Next

Board index PBase News javascript disabled.

Who is online

Users browsing this forum: CCBot and 2 guests