Posted: Tue Jul 10, 2007 4:15 pm
Okay, now that I am fuming less for not getting any notice on this, Slug and I have exchanged a few emails offline on this.
There is another angle, that was not discussed. It may be hard for others to compromise your site with JS, but it is very easy for YOU to compromise others who visit your site. It would be very simple for me to write a simple code in my galleries. If you ever visited my site, and clicked on on one of my links, I could steal your cookie, then using that cookie, log into your galleries as your gallery owner.
However, it must be mentioned, that such an exploit, however serious, can only work if the PBase servers don't put in sufficient checks to thwart this usage. So I suggested some solutions to Slug, which PBase may or may not already be implementing.
Just FYI.
regds
arjun
There is another angle, that was not discussed. It may be hard for others to compromise your site with JS, but it is very easy for YOU to compromise others who visit your site. It would be very simple for me to write a simple code in my galleries. If you ever visited my site, and clicked on on one of my links, I could steal your cookie, then using that cookie, log into your galleries as your gallery owner.
However, it must be mentioned, that such an exploit, however serious, can only work if the PBase servers don't put in sufficient checks to thwart this usage. So I suggested some solutions to Slug, which PBase may or may not already be implementing.
Just FYI.
regds
arjun