Page 2 of 6

PostPosted: Tue Jul 10, 2007 12:36 pm
by arjunrc
Hi folks,

a) It is important for PBase to evaluate how XSS attacks would work. It is completely untrue that _any_ JS yeilds to XSS. Specifically, any JS code that does not take input from users and/or html encodes any output correctly is hard to attack. Is it 100% attack proof? Who knows. But by the same logic, neither is any website, JS or not. So we are not talking about expert attackers - the INTERNET is susceptible to them. The way in which the news announcement came out was like this XSS site is some sort of radical discovery.

b) I am hugely irked by the continuous hammer-handed attitude shown. PBase - we don't use statcounter because we WANT to. We use it because we NEED to. And we need to, because your own implementations are patchy to say the least (besides looking at vertical lines of PBase's own stats, it does not provide any useful information to us). Same holds true for your priniting service - no idea when user printing will come out, but who uses PBase to print their _own_ photos, and that too, only framed?

You just don't go about ripping down full support just because someone pointed you to the XSS site.

c) I stand by the fact that this is a Photo hosting site. Srijith, you have a point about bad PR if bad things happen, but my point is that the answer to that is not disabling JS. Disable external script reference if you want. Dsiable form inputs if you want. Force HTML encoding in any document.write if you want. And also, if a user decides to use JS on his site, put out a disclaimer form stating that the user indemnifies PBase with such use and the user recognizes that JS could potentially be exploited.

Again, completely ham-handed and with no respect to users. Had PBase the decency to send all users an _email_ a week in advance, I would have gladly been more supportive, even to this nature of stripping.

Irked beyond belief

PostPosted: Tue Jul 10, 2007 12:38 pm
by arjunrc
andrys wrote:
arjunrc wrote:I don't get it. The site linked in the announcement has existed for a long time and most of the attacks rely on the fact that the JS code may be allowing for inputs from the user and not html-encoding the output which could potentially. This also means, that sites like statcounter, should they want, could potentially steal our cookies using this mechanism.

Do you mean the latter would be true IF the code allowed for input from
the user (which it doesn't) ?

For this to work, your script needs to take some form of input, and then use the content, UN-HTML-encoded on the screen (example, document.write($userinput) instead of document.write(safeencode($userinput))

Java Script

PostPosted: Tue Jul 10, 2007 12:41 pm
by shawnkraus
I had worked for a few months on my site to get it to finally do what I wanted and with just a click or two it seems it was all taken away without even the slightest bit of notice. My subscription to pbase comes due in about 2 months and I may have to take a look at the other sites out there that host photos and galleries. Sad to see my hard work go down the drain. I now am faced with the task of aligning text that was misplaced on the page to due to the blank space left from the Java Script I was running. I wonder if PBASE will reimberse me for time lost. I doubt it. I will be taking a good hard look at the other sites on the web to see what they have to offer.

PostPosted: Tue Jul 10, 2007 12:46 pm
by polyvios
I would think it is a matter of making the right level of adjustment and recognizing that PBase is but a photo hosting site.

You know what? So is smugmug! And they're offering shopping cards, custom layouts, cool looking stylesheets, custom headers, custom footers and Oh yeah.. they support Javascript! Don't even get me started on the beauty of zenfolio...

It's just sad when one of the pioneers fails to grow with the rest of the industry, even worse when they take a step backwards. Unless of course you consider redesigning the front page after 4 years, while ignoring real issues repeatedly requested by users growth. Honestly even the search funtion is messed up!

For the record my inline photo loader slideshow and inline statcounter where hardly a menace to anyones security.

PostPosted: Tue Jul 10, 2007 12:50 pm
by madlights
PBase did announce it, if you had java enabled in galleries with an announcement on the gallery page of the user's site. IE if you had say 'Extreme Tracker' came right up on the gallery with a message that javascript had been disabled. However about the only really malicious thing that I could see being done was to order our own photos using our passwords :D :D :D ...but maybe I'm missing something. If PBase would have the photo selling option enabled as they've been promising, then indeed it could be dangerous to the user....maybe ...although my understanding of all this is way below the level of all of you.

PostPosted: Tue Jul 10, 2007 12:50 pm
by madlights
madlights wrote:PBase did announce it, if you had java enabled in galleries with an announcement on the gallery page of the user's site. If you had say 'Extreme Tracker' came right up on the gallery with a message that javascript had been disabled. However about the only really malicious thing that I could see being done was to order our own photos using our passwords :D :D :D ...but maybe I'm missing something. If PBase would have the photo selling option enabled as they've been promising, then indeed it could be dangerous to the user....maybe ...although my understanding of all this is way below the level of all of you.

PostPosted: Tue Jul 10, 2007 12:53 pm
by madlights
LOL I hit the "edit" button and I quoted myself instead, and now the edit button is GONE! :D :D :D

PostPosted: Tue Jul 10, 2007 1:06 pm
by nitroimage
WOW, I go to bed last night and all is well in Pbase land. I wake up this morning and look what I find. All I want to know is will my slideshow be enabled at some point say in the next day, month or into the future? Like arjunc said, I am also irked beyond belief!!

PostPosted: Tue Jul 10, 2007 1:31 pm
by mikelong
This is SO old school

PostPosted: Tue Jul 10, 2007 1:45 pm
by bluemars
I don't know much about programming and security things.
But one thing I can't understand is how a site like pbase, with thousands of paid members all around the world and a trainned staff behind, can't set a 'secure' way to allow statcounter (which is consider a safe site)?
If this is not going to be allowed, Pbase must have a full statics service. Because I really use the statcounter information for different issues concerning my pbase gallery.
Just my 2 cents.

PostPosted: Tue Jul 10, 2007 2:09 pm
by arielen
I know nothing about HTML/Javascript and it took me more than two weeks to run slideshow on my site with the help of kind and talented PBase members and I can't recall how many emails I received from other members just to run statcounter on my site. I really appreciate their help but all of their hardwork were gone now. :( :cry: :(
Slug and Emily please do something.

PostPosted: Tue Jul 10, 2007 2:33 pm
by avsphotos
It is highly unprofessional of PBase to suddenly turn off the capability without atleast warning users ahead of time to give them a chance to atleast make the modification to their site and have minimal impact. I would have expected better...

I hope you guys fix this issue or suggest easy alternatives to having slideshow on the front page...It will be sad if we are forced to look elsewhere because of this issue....

Also, in the future, some advance warning would be helpful!


The sudden-ness of this is really irritating...

PostPosted: Tue Jul 10, 2007 2:48 pm
by tim32225
I have been a long supporter of pbase, and I haven't really considered very seriously, moving to another site. This is mainly because I've always enjoyed tweaking my own stylesheets, and joinging with the others here to share and modify stylesheets within the community.

But we all got cold-cocked on this one without any warning.

I realize that there are security issues, but just what they are and how they can be exploited is a little bit above my understanding at the present time. I have read the comments from those more knowledgeable here who say that the kind of script we were using for the slideshows is not vulnerable, and so I wonder who to believe.

I have liked pbase up till now, but this latest twist really makes me wish I had not just coughed up for another 2 years.

I think Slug should offer a refund of their un-used account balance to those who decide to bail out to Smugmug or some other service, if pbase cannot come up with some acceptable work-around for this in a "reasonable" amount of time. And for those who are not so familiar, I'm talking about a time frame that is much more reasonable than what we usually get here. (let's say a week), instead of the usual couple months that it usually takes for anyone to even notice a comment or complaint.

I've usually been very tolerant of these delays, mainly because I know the staff is small (if you can even call it a staff), and the price is inexpensive. But this one is pushing me to the edge. I was just thinking about how many of the really good photographers have left pbase due to the normal delays in getting any kind of a response to a problem, or even a notification of what's going on when there is an outage (last winter comes to mind, when we couldn't upload properly for over a month) and yet there was not even any post from Slug or Emily about what was going on with the server problems. It was nice that we all got a couple months credit afterwards for that fiasco, but a little forewarning would have gone a long, long way. Just as it would have NOW.

I don't have time to completely change my site right now because I'm traveling. I just wish I knew a way to insert a photo in that big black hole that used to be a slideshow, unitil I get time to dig into this better, or decide on some other hosting site.

Any help in this from any of the 'regulars' here, would be appreciated.


PostPosted: Tue Jul 10, 2007 3:28 pm
by andrys
Since you're traveling, I wouldn't try it right now. You can SAVE
the current user-description in the edit-gallery description box, to a file
(if you have a laptop that's yours) and then edit your home page to
remove the code.

Commenting-out javascript is a bit tricky so I do recommend you save
the whole description-box contents to a file and just delete the
script code for now.

Or just add words to explain PBase disabled the slideshow code
for now. Maybe that's better, since they could be persuaded that
javascript with no user-input is safe and they might re-enable it
(though that would take special code to test that condition and I
don't know if it's realistic).

Re: javascript disabled.

PostPosted: Tue Jul 10, 2007 3:45 pm
by ltobias
slug wrote:Apologies, but due to cross-site scripting vulnerabilities, we have been forced to disable javascript entirely.
We very much regret limiting your ability to use javascript to enhance your site, but cross-site-scripting would easily allow an attacker to steal cookies and gain access to many PBase accounts.
You can read more about this type of attack at

The article is from 2002. So PBase was vulnerably the last 5 years. Maybe longer. Was it really a problem?

And again it's is old! So why do you hurry disabling JS now?

We will be looking for a solution so that you can continue to use your stat counters and other javascript features.

Many users asked for a solution last year. So you are still looking?! How long?

We've been avoiding this action because we would like for you to have the flexibility that javascript can offer.
Unfortunately, this kind of attack is so easy to implement, and the possible damage so great, it would be negligent for us to ignore it.

One of the most common uses of javascript is by people who enable various statistics services on their pages.
We hope we can come up with a method to at least allow the necessary javascript for some of the more popular stat counter services.

For the time being, on galleries with javascript has been removed, you will see a explanation message if it is your own gallery so that you will be alerted to the change.

Again, we're truly sorry for the sudden change and the affect it might have on your site, but we really have no choice.

Thanks to Erik Persson for pointing out to me how much of a risk this is.

-Chuck Neel

Maybe it was writen thousand times.You should inform your customer first.
