News

[arjunrc]

Okay, now that I am fuming less for not getting any notice on this, Slug and I have exchanged a few emails offline on this.

There is another angle, that was not discussed. It may be hard for others to compromise your site with JS, but it is very easy for YOU to compromise others who visit your site. It would be very simple for me to write a simple code in my galleries. If you ever visited my site, and clicked on on one of my links, I could steal your cookie, then using that cookie, log into your galleries as your gallery owner.

However, it must be mentioned, that such an exploit, however serious, can only work if the PBase servers don't put in sufficient checks to thwart this usage. So I suggested some solutions to Slug, which PBase may or may not already be implementing.

Just FYI.
regds
arjun

[tim32225]

Since you're traveling, I wouldn't try it right now. You can SAVE
the current user-description in the edit-gallery description box, to a file
(if you have a laptop that's yours) and then edit your home page to
remove the code.

Commenting-out javascript is a bit tricky so I do recommend you save
the whole description-box contents to a file and just delete the
script code for now.

Or just add words to explain PBase disabled the slideshow code
for now. Maybe that's better, since they could be persuaded that
javascript with no user-input is safe and they might re-enable it
(though that would take special code to test that condition and I
don't know if it's realistic).

Thanks for the help, Andrys,

I had already copied the old script to a notepad file, as I do every time I tweak it. Then I removed just the javascript part from the code and left the rest. This left me with a normal looking gallery except for the black box where the slide show used to be.

Next, I tried to put one image in that box, but no matter what I do, I get the text of the image url showing up in the box, instead of the actual photo. I'm not sure how to solve this...

Before doing all of this, I tried looking at the source on your page, but it doesn't give me the answer, or else it's there but I don't recognize it. I don't think that all of what you type into the text box in the 'edit gallery' screen shows up the same when you look the source on someone's page. But I could be wrong....

Tim

[yangjp]

The slide show was one of the major reason for me to saty with Pbase. I don't see the logic here. The best way to prevent attack is to shutdown your server completely. If something is broken, you should fix it instead of disable it. Please re-eneble the JS, otherwise, a lot of peope will have to look for some other places. What's the difference between this one and the free site http://picasa.google.com ?

[slug]

We will have an implementation for statcounter.com services soon, most likely today.
There will be a place in your account settings to enter your statcounter variables (project,partition,security) and then the javascript will appear on your pages. This way you'll easily get the full JS version on all your pages which will be a better solution than the previously existing method of having to edit all your galleries one by one.

After statcounter, we'll start working on support for other third party services that require javascript. I'd appreciate hearing from you to get an idea of which ones we should concentrate on first.

Thanks,
Chuck Neel
slug@pbase.com

[andrys]

...I had already copied the old script to a notepad file, as I do every time I tweak it. Then I removed just the javascript part from the code and left the rest. This left me with a normal looking gallery except for the black box where the slide show used to be.

Next, I tried to put one image in that box, but no matter what I do, I get the text of the image url showing up in the box, instead of the actual photo. I'm not sure how to solve this...

Before doing all of this, I tried looking at the source on your page, but it doesn't give me the answer, or else it's there but I don't recognize it. I don't think that all of what you type into the text box in the 'edit gallery' screen shows up the same when you look the source on someone's page. But I could be wrong.

Tim, in the source code there's a
"<!-- BEGIN user desc -->"

check only between that and

"<!-- END user desc -->"

The big difference was that I eliminated the code that was
part of the javascript-focused layout and switched the
image reference to straight HTML for the one jpg I decided
would be the static image.

Where I have, after the Menu of profile, guestbook, etc.,
======
TR>

<TD vAlign=top><br>
<img valign="top" src="http://www.pbase.com/andrys/image/73595598/original.jpg"><br>
======

You should be able to do
=====
TR>

<TD vAlign=top><br>
<img valign="top" src="http://www.pbase.com/tim32225/image/xxxxxxxx/original.jpg"><br>
======

I think you took your actual first picture (or any other ones)
completely out though. All I see remaining are the little spacer jpgs.

So if you put a 500-pixel picture in normal HTML as above, it should
work. No guarantees!

[andrys]

We will have an implementation for statcounter.com services soon, most likely today.
There will be a place in your account settings to enter your statcounter variables (project,partition,security) and then the javascript will appear on your pages. This way you'll easily get the full JS version on all your pages which will be a better solution than the previously existing method of having to edit all your galleries one by one.

WHOA. *Excellent*, Slug!

(See? I knew you could do it. Very impressed with your speed and solution!)

After statcounter, we'll start working on support for other third party services that require javascript. I'd appreciate hearing from you to get an idea of which ones we should concentrate on first.

I guess we should have someone set up Luis Bunuel's slide show
on another site in a way that we could "call" it

But there's probably something similar to this that can be called?

Thanks very much for hearing us and responding so quickly. I love
the statcounter solution you're working on.

In the nick of time. A friend actually just wrote to ask about Smugmug
(which I don't like as much as PBase).

[yangjp]

I have spent months of time to get the slide show working, and now suddenly all the features have been disabled and the main page have a black hole there that looks so wired. I am not good at editing the script pages and I don't even know how to remove the javascripts. Please make it work again!

[mikelong]

After statcounter, we'll start working on support for other third party services that require javascript. I'd appreciate hearing from you to get an idea of which ones we should concentrate on first.

Slideshow please. I don't need a statcounter

[andrys]

Mike, it's not just a 'counter' it tells exactly what pages or searches landed the people on your page, and shows how effective certain pages are if
the visitors decide to look at your other galleries while here (visitor path).

*SLUG* -- re what else should be done re javascript things

Could there be a way for the automated
addition process of javascript in our galleries
look for the existing

<!-- Start of StatCounter Code -->

and

<!-- End of StatCounter Code -->

And then REPLACE whatever existing statcounter code
is in the gallery? after we enter our ID #'s ?

I have about 150 galleries I put statcounter code into.

I haven't been able to face removing it all.

Thanks for considering this possibility.

- Andrys (very happy about the statcounter-how-to decision)

[laprade]

Big dissapointment. I had the chance just when I resigned up with Pbase to go to Smugmug. Now, Im not sure what to do. I hope you can resolved this ASAP......

Some of us have a ton of time invested in this site!

Scott

[rymanjason]

We will have an implementation for statcounter.com services soon, most likely today.
There will be a place in your account settings to enter your statcounter variables (project,partition,security) and then the javascript will appear on your pages. This way you'll easily get the full JS version on all your pages which will be a better solution than the previously existing method of having to edit all your galleries one by one.

After statcounter, we'll start working on support for other third party services that require javascript. I'd appreciate hearing from you to get an idea of which ones we should concentrate on first.

Thanks,
Chuck Neel
slug@pbase.com

I use Extreme Tracking (paid subscription) and would certainly appreciate your accomodations for it.

[brianlambert]

Very dissapointed. Only yesterday renewed my subscription for another year, now to find my main page slide show not working so gonna have to spend more time again now altering the page back to just a basic gallery

[mikelong]

Very dissapointed. Only yesterday renewed my subscription for another year, now to find my main page slide show not working so gonna have to spend more time again now altering the page back to just a basic gallery

Sometimes you gotta roll with it, especially for what they're charging. I just had a quote from a UK based web design company to build my new website: 2200 euros (approx. $3000) plus $600 per year to host and manage.

[zevs]

Hi!

I have really been supporting Slug and the gang in many crisises in the past, but this one....it is just incredible! There is no excuse for doing this without first telling the users what the options are and asking us how we want to go ahead. If this has been a problem at least the last 5 years, how many have got anything valuable hijacked due to this. If there are people who have had problems due the presence of the JS I would like you to step froward and tell us all what happened. And I don't mean getting strange messages!!!!

I'm a Swede myself, but I sure don't feel very appreciative of the Swede who broke the news to Slug! I'm sure just showing pics on the net could be dangerous, but please don't tell Slug, because he will probably shut the whole site down immediately if he hears that! And still expect us to pay!

Ohhh I guess I'm really mad Sorry for that, but the handling of this is really outrageous!

Zevs

[yangjp]

We will have an implementation for statcounter.com services soon, most likely today.
There will be a place in your account settings to enter your statcounter variables (project,partition,security) and then the javascript will appear on your pages. This way you'll easily get the full JS version on all your pages which will be a better solution than the previously existing method of having to edit all your galleries one by one.

After statcounter, we'll start working on support for other third party services that require javascript. I'd appreciate hearing from you to get an idea of which ones we should concentrate on first.

Thanks,
Chuck Neel
slug@pbase.com

We don't care about the "statcounter", please make the slide-show to work again!