Board index PBase News javascript disabled.

News

javascript disabled.

tim32225
 
Posts: 89

Re: statcounter support coming soon.

Post Tue Jul 10, 2007 8:16 pm


slug wrote:We will have an implementation for statcounter.com services soon, most likely today.
There will be a place in your account settings to enter your statcounter variables (project,partition,security) and then the javascript will appear on your pages. This way you'll easily get the full JS version on all your pages which will be a better solution than the previously existing method of having to edit all your galleries one by one.

After statcounter, we'll start working on support for other third party services that require javascript. I'd appreciate hearing from you to get an idea of which ones we should concentrate on first.

Thanks,
Chuck Neel
slug@pbase.com


Chuck,

I'm encouraged that you are apparently on top of this, so hopefully we can get these issues solved or else devise some work-arounds. I personally don't use the stat counters (used to but I canned it when you first started stripping the javascript, back at the time that right-click disable also went away).

I may look at statcounter in light of what has been said here today, but my main WISH is if you can figure out a way that we can use some sort of ROOT GALLERY SLIDESHOW like we had up until now, without severely compromising security. Like some others here, I put days and days into getting the thing the way I wanted it, and it hurt to see it go 'poof'.

Please keep us all posted here in the forums, as to the progress that is being made with this (not just the stat counter issue). I hope we also can soon get a fix for the exif bug that always says the flash was off, even when flash was used in the photo.

Tim

arjunrc
 
Posts: 1003


Post Tue Jul 10, 2007 8:17 pm


Guys, my suggestion is not to keep posting on which javascript support to enable or not. Clearly, there will as as many opinions as the different JS code being used (for some statcounter, for some slideshow, for some a scrolling news bar etc.)

A better mechanism would be to set up a poll in another non News thread where people can vote so that PBase can review it.

More importantly, let us think of constructive mechanisms on how PBase can expose a secure framework where potentially users can implement restricted JS code.

regds
arjun
--
I don't check forums very often these days, so if you need to get a response from me, please send me an email (see my profile) and NOT a PM.

flemmingbo
 
Posts: 435
Location: Denmark, Copenhagen

Re: statcounter support coming soon.

Post Tue Jul 10, 2007 8:23 pm


slug wrote:We will have an implementation for statcounter.com services soon, most likely today.
There will be a place in your account settings to enter your statcounter variables (project,partition,security) and then the javascript will appear on your pages. This way you'll easily get the full JS version on all your pages which will be a better solution than the previously existing method of having to edit all your galleries one by one.

After statcounter, we'll start working on support for other third party services that require javascript. I'd appreciate hearing from you to get an idea of which ones we should concentrate on first.

Thanks,
Chuck Neel
slug@pbase.com


That's great news, thanks for that Chuck! This is a step in the right direction, so lets hope that a statcounter solution will be available very soon - and after that I think a solution to be able to use Luis' slideshow code would be high on everyones list!

regards, Flemming
Flemming Bo Jensen Photography
Gallery: http://www.pbase.com/flemmingbo
My photography blog: http://flemmingbo.wordpress.com

zevs
 
Posts: 67

Re: statcounter support coming soon.

Post Tue Jul 10, 2007 8:24 pm


yangjp wrote:
slug wrote:We will have an implementation for statcounter.com services soon, most likely today.
There will be a place in your account settings to enter your statcounter variables (project,partition,security) and then the javascript will appear on your pages. This way you'll easily get the full JS version on all your pages which will be a better solution than the previously existing method of having to edit all your galleries one by one.

After statcounter, we'll start working on support for other third party services that require javascript. I'd appreciate hearing from you to get an idea of which ones we should concentrate on first.

Thanks,
Chuck Neel
slug@pbase.com


We don't care about the "statcounter", please make the slide-show to work again!


Kind of agree, it is the slide shows we have been working on for hours to get them working, so let us have a workaround for that as soon as possible, today sounds fine to me!

Zevs

lschell
 
Posts: 60


Post Tue Jul 10, 2007 8:32 pm


I am not sure what the Bunuel slideshow is, I don't think I am using it. I am probably using something else, something that still displays the first photos, so at least I don't have to edit anything on my page while JS is off. But I really would appreciate it if my slideshow would be working again asap. For me that's more important than a stat counter. Thanks in advance!

Code: Select all
<TR>
<TD align=center>
<img border="1" src="http://www.pbase.com/image/36119298/medium.jpg" width="267" height="400" id="Placeholder0"></TD>
<TD align=center>
<img border="1" src="http://www.pbase.com/image/36119297/medium.jpg" width="400" height="267" id="Placeholder1"></TD></TR>


Code: Select all
<script language="JavaScript">
// Browser Slide-Show script.
// With image cross fade effect for those browsers that support it.
// Script copyright (C) 2004 www.cryer.co.uk.
// Script is free to use provided this copyright header is included.
var slideCache = new Array();
function RunSlideShow(pictureName,imageFiles,displaySecs)
{
  var imageSeparator = imageFiles.indexOf(";");
  var nextImage = imageFiles.substring(0,imageSeparator);
  if (document.all)
  {
    document.getElementById(pictureName).style.filter="blendTrans(duration=2)";
    document.getElementById(pictureName).filters.blendTrans.Apply();
  }
  document.getElementById(pictureName).src = nextImage;
  if (document.all)
  {
    document.getElementById(pictureName).filters.blendTrans.Play();
  }
  var futureImages= imageFiles.substring(imageSeparator+1,imageFiles.length)
    + ';' + nextImage;
  setTimeout("RunSlideShow('"+pictureName+"','"+futureImages+"',"+displaySecs+")",
    displaySecs*1000);
  // Cache the next image to improve performance.
  imageSeparator = futureImages.indexOf(";");
  nextImage = futureImages.substring(0,imageSeparator);
  if (slideCache[nextImage] == null) {
    slideCache[nextImage] = new Image;
    slideCache[nextImage].src = nextImage;
  }
}
</script>

<script language="JavaScript">
RunSlideShow("Placeholder0","http://www.pbase.com/image/36119298/medium.jpg;"
+"http://www.pbase.com/image/71446000/medium.jpg;"
<snap etc>
+"http://www.pbase.com/image/38612676/medium.jpg",9);
RunSlideShow("Placeholder1","http://www.pbase.com/image/36119297/medium.jpg;"
+"http://www.pbase.com/image/72731675/medium.jpg;"
<snap etc>
+"http://www.pbase.com/image/36119300/medium.jpg",9);
</script>

slug
Site Admin
Site Admin
 
Posts: 598


Post Tue Jul 10, 2007 9:02 pm


We'll definitely be adding a slideshow option.

As for the question "If this vulnerability has been her for 5 years+, and no real harm has come from it, why bother fixing it now?"

A good question, and from my point of view, it's tempting to ignore the problem and hope we continue to get lucky. This would avoid all the confusion and anger created by the sudden disabling of javascript.
However, now that I'm fully aware of the danger, it would be irresponsible to not take action and risk irrepairable damage from a hacker.
Many "hacks" are vague and unlikely, but this one is so easy to execute, it's inevitable that it would be exploited.

Anyway, I've got statcounter working on my pages now. Support for extremetracker and google analytics are next on the list to attack.
Then will work on the slideshow.

I'll post a new topic here when the statcounter config page is ready for use.

-Slug

anneb74
 
Posts: 5


Post Tue Jul 10, 2007 11:09 pm


I have that message on my page but didn't know I'm using javascript. Not sure how it applies to me. But am glad you took steps to stop any theft etc. I don't know if I use slideshow but I do use the counters. Oh well....... :shock:

kckamera
 
Posts: 1


Post Wed Jul 11, 2007 1:34 am


:cry: I had been using scripting for people to order photos. I had drop down boxes where people could pick the photo number, size and it would add everything to a shopping cart in PayPal. It was so great and so easy. And now it's GONE! Totally useless with NO warning. Now the folks have to make a list of the photo numbers and sizes and type me an e-mail. I like PBase because of its ease and because people could order directly and I would process (I didn't pick Smugmug because I wanted to control the printing).

Oh well ....

egrc
 
Posts: 11


Post Wed Jul 11, 2007 3:37 am


arjunrc wrote:I don't get it. The site linked in the announcement has existed for a long time and most of the attacks rely on the fact that the JS code may be allowing for inputs from the user and not html-encoding the output which could potentially. This also means, that sites like statcounter, should they want, could potentially steal our cookies using this mechanism.

However,

1) Statcounter is 'generally' regarded as a trusted site - this is not really a strong argument, but I wonder why this should only be a concern for PBase (not considering statcounter a trusted site).

2) I don't see how embedding inline JS, which accepts no user input and does not link to any external source is vulnerable, at least with XSS attacks.

To summarize, anything goes under the requirement of security. But PBase is a photo-hosting site like hundreds of others. We don't store bank information here. The absolute worst that could happen would be if a user
does inject XSS vulnerable JS (not just ANY JS), he *might* have his personal photos stolen.

I would think it is a matter of making the right level of adjustment and recognizing that PBase is but a photo hosting site.

regds
arjun


The problem is if for example I put cookie stealing code on my page, I could steal a lot of identities. If someone loaded any of my pages, I could steal their identity. Then I could add the cookie stealing code to every page that person has. In that way the number of identities I could steal would grow exponentially in the beginning - 10 people watching my pages gives me 10 identities to edit. If 10 people watch everyone of those pages, it would give me 110 identities etc. After some time I could start deleting pictures, sending email, reading email, watching private galleries, editing and adding descriptions, redirect everyone to my spam pages etc etc etc.
I guess pbase will solve this somehow - I guess there are ways to mitigate the risk - but the risk wasn't insignificant.

/erik

egrc
 
Posts: 11


Post Wed Jul 11, 2007 3:48 am


andrys wrote:
arjunrc wrote: Thanks for the cool logic here. Maybe Slug will explain why he may
feel even inline code with no input is to be disallowed. Or is it that they
don't want to code conditional allowances for statcounter code etc.
I saw how difficult that was for the Show & Tell forum's short-term
post-counter last month.


I think I can explain the problem. Almost every site is using cookies to store user identities. When you log in to a site, a cookie is place in your browser. When you try to load a page from the same server that put the cookie in your brower, your browser will send the cookie along with the request for the page. The server thus "knows" who you are.
Javascript can however read the cookies. If you load a page from pbase, javascript can read any pbase cookie. But javascript can do other things as well, for example contact another server with the cookie info. Suppose I put javascript that reads cookies on my pbase pages and you visit any of the pages. The javascript could then read *your* cookies, and could send that information anywhere, for example to my server where I could read the information.
Since the cookie contained your identity, this would mean I stole your identity.

This has nothing to do with input. It has only to do with one thing - javascript can read cookies. I think pbase will find some way to solve this problem, but it is not trivial.

/Erik

egrc
 
Posts: 11


Post Wed Jul 11, 2007 4:08 am


arjunrc wrote:Hi folks,

a) It is important for PBase to evaluate how XSS attacks would work. It is completely untrue that _any_ JS yeilds to XSS. Specifically, any JS code that does not take input from users and/or html encodes any output correctly is hard to attack. Is it 100% attack proof? Who knows. But by the same logic, neither is any website, JS or not. So we are not talking about expert attackers - the INTERNET is susceptible to them. The way in which the news announcement came out was like this XSS site is some sort of radical discovery.


No. I don't think you have understood how the XSS attacks work. It is rather simple. I put code on my pbase page that reads *your* pbase identity when you visit my pages. You wouldn't notice anything unusual at all. It would be just another visit to a pbase page.
I can then use your identity to do almost whatever you can do at pbase. I could for example add the code to your pages so I could steal the identities from everyone who visited your pages.

b) I am hugely irked by the continuous hammer-handed attitude shown. PBase - we don't use statcounter because we WANT to. We use it because we NEED to. And we need to, because your own implementations are patchy to say the least (besides looking at vertical lines of PBase's own stats, it does not provide any useful information to us). Same holds true for your priniting service - no idea when user printing will come out, but who uses PBase to print their _own_ photos, and that too, only framed?


Pbase will find a solution.

You just don't go about ripping down full support just because someone pointed you to the XSS site.


I informed pbase, but I didn't post any link. I demonstrated exactly how easy it would be to steal identities here at pbase. I even "stole" my own identity to make sure it worked. I put up the code for pbase to see how easy it was.

c) I stand by the fact that this is a Photo hosting site. Srijith, you have a point about bad PR if bad things happen, but my point is that the answer to that is not disabling JS. Disable external script reference if you want. Dsiable form inputs if you want. Force HTML encoding in any document.write if you want. And also, if a user decides to use JS on his site, put out a disclaimer form stating that the user indemnifies PBase with such use and the user recognizes that JS could potentially be exploited.


If you allow scripts it is *VERY* hard to limit what you can do. It is almost impossible. But there could be other ways to solve the problem.

Again, completely ham-handed and with no respect to users. Had PBase the decency to send all users an _email_ a week in advance, I would have gladly been more supportive, even to this nature of stripping.

Irked beyond belief
arjun


I would say it is out of respect for the users pbase has done this. It is not pbase that would be harmed primary if I would point your page to a porno site, or if I would point your galleries to my site or whatever I could do.

/erik

shawnkraus
 
Posts: 352

A Possible Substitue For Slideshow

Post Wed Jul 11, 2007 6:12 am


I created an animated GIF not sure if this is the answer but try my site link and let me know what you think.

http://www.pbase.com/ShawnKraus

andrys
 
Posts: 2701

Re: A Possible Substitue For Slideshow

Post Wed Jul 11, 2007 6:40 am


shawnkraus wrote:I created an animated GIF not sure if this is the answer but try my site link and let me know what you think.

http://www.pbase.com/ShawnKraus


That's a nice workaround and Photoshop makes this easy to do.

Gifs have a dottiness I'd rather not have though, but you mitigated that
by keeping the animated gif small. I like what you did. Serves the
purpose of showing multiple images you like.

kerrym
 
Posts: 311


Post Wed Jul 11, 2007 9:21 am


Please Email.... ????

I found the message on my site early this morning (NZ time) and now it's about 12 hours later. We're now up to page 4 of comments.

I work a 45 hour week, plus heaps of extra responsibilities because of my family situation. I really don't want to read everybody's comments and opinions because it will take ages to view and consider every thought.

However would the administrators please keep us up to date with this - and by that I would request that we have any significant changes emailed to members. That should be something really easy for you to do. I've run message boards myself, and I know it's easy.

I've never had an email out of Pbase and can't even get a response when I tick "notify me when a reply is posted" (Somebody once said it didn't work). So is there something wrong with that too?

I'd really like communication and updates on this, without having to read through the forums to find out what's happening. Please....... don't ignore.
Kerry Mitchell NZ
http://www.pbase.com/kerrym

srijith
Moderator
 
Posts: 2321
Location: Amsterdam


Post Wed Jul 11, 2007 9:30 am


kerrym wrote:Please Email.... ????

I found the message on my site early this morning (NZ time) and now it's about 12 hours later. We're now up to page 4 of comments.


Looks like a great opportunity for PBase-users Yahoo groups
http://tech.groups.yahoo.com/group/pbase-users/

What say you, Andrys?

PreviousNext

Board index PBase News javascript disabled.

Who is online

Users browsing this forum: No registered users and 3 guests

cron