ok, so after a few delays on the path...we have the comment field patch available for you.

Download Link:
http://pixelpost.org/releases/comment-field-patch_012906.zip

Inside contains the file to clean the "defaced" comment from you pixelpost photoblog, as well as files to replace for both pixelpost 1.4.3 and pixelpost 1.5beta. There are brief instuctions for all cases included as well.

We're sorry for the extended delay, it was ready about 24 hours ago and I got swamped, so totally my fault.

If you have any questions, please post in the 'Pixelpost Help' section.

We'd also like to send out a super special thanks to the active members here on the forum, we're not around 24/7 and it was awesome to see people coming together, even inspired the dev team to branch off some new ideas and really prepare to give you some awesome ideas and products in the future.

I just had some time to test the patc provided and I don't want to be rain on your parade but I am sorry to say that the provided patch is as amatuerish is the original attack :(

Try putting <IMG SRC="javascript:alert('XSS');"> in the comment and view it in Internet Exploder.

NOTE this is just one of the several possible exploits.

Also to who so ever implements the newer patch adding IMG to your solution will not work as there are several other tags which can be eploited.... I have given better solutions on the forums in other threads. Implementing XSS input filters is in principal same as implementing firewalls - You first shut each and every port and then start opening only the ports you require - you CANNOT do it the other way round that is shut only those ports which you consider *might* be harmful

To the devs who have wrtten to me that I should not make information public I would like to point out that solutions to the problem were pointed out but not implemented - Users of Pixelpost now have a right to know

Hope that helps...

thanks but be more considerate. I've asked you to send me info but you didn't. (you published it on the forum) and I was so busy to follow.

anyway I have more things than Pixelposting in life. there was another option to strip_tag all but it will hurt others. IMG tag was there and I didn't consider that kind of attack. That's my fault but I'm not so that evil amateur. I think you can publish a better pach if you will. That's called community service!

haha...well in that case, stripping the entire field would indeed be the better thing to do.

I don't think putting users to risk should be a laughing matter for Open Source developers :(

I guess I will put out my own solution soon - long live Open Source :)

Well, you can be stern and think that im laughing at the fact there are holes in some chunked up code and is at an idle state of development lately and just stick your nose up and say you are going to do your own thing...or you can stick around and help out, not like we have had a super active staff around here lately. It's been the holidays and we're all busy getting back together now...

and sorry, but it is funny when less that 24 hours something is given a patch, you turn right back and post it here that somethign is wrong with it again

and sorry, but it is funny when less that 24 hours something is given a patch, you turn right back and post it here that somethign is wrong with it again
So what should I do?

After pointing out that the solution which you suggested is not the right solution in a private message I still see the same thing being handed out to users as a patch!!

And please think again who is sticking around and who is sticking nose in the air - like I said I will put out a solution which I feel is better... and I stuck around on the forums helping when most people were gettting hit!!

Hmmm... or should I write a bot which googles for Pixel post signature URLs and then goes and posts *Defaced because Pixlepost developers don't care!!*

Heh! come to think of it one can easily craft a comment which can do the above and thus self propogate - an XSS worm! Now that would be creative ;) and Pixel Post will be famous

Also let me put it out in open that I have got atleast 3 offers to fork Pixel Post along with them which I have declined - I don't like to break teams and communities but foster them...

So wether anyone likes it or not - I am staying here and calling spade a spade and everything else whatever it deserves to be called...

Cheers

The mix up lies with miscommunication between all of us and ramin who pulled together the first working patch that he had, which wasnt perfect, we dont have a fulltime staff and amazing awesome development system that leaves cool notes for each other like I have seen in the past, people even always want access to CVS but it's led to more problems that anything in the longrun because files get mixed up on checkout and waiting on other users and such...a lot of what is here is a compalation of what people have added and pieced together, during the holidays it's all fragmented and when we're doing our best to piece it back together things do get lost in the translation.

The way you formatted saying you would put out a solution doesnt read quite like you wanted it to I believe, and my mistake, but I took it as a form of threat to the community. It's all good and there is no reason to be heated, but if you read through the threads there are different people saying different things all the way through, and Ramin put the first solid thing together he could, and it got mixed up.

I'd love it if you would submit a straight forward solid solution, that's what this community is all about. If something is directly wrong and you can submit a corrected file with a commented fix that we can track down the changes made for development and release, even send out as a corrected patch...that would rock.

And I spoke with you before over IM about a future cleanup, it sounded like you had some good ideas and I would love to include you in all of that.

hey ! where is my post here?

why my posts are moderated here and not published? why!?

ٍEDIT:
Thanks to blinking8s, it's fixed now.

Sorry raminia...I dont know why it had the moderation que switched on...things should be cleared up with it now

thanks but be more considerate. I've asked you to send me info but you didn't. (you published it on the forum) and I was so busy to follow.

Heh! can the devs please be consistent in what they are asking - when I first sent you the PM about SQL injection you said post it to the forum - I did not because I have not looked into all the other possibilities and I am sure posting that to the forum would open a pandora's box. Now you are saying that I should not publish to the forums! Please note I still do not publish sensitive info on the forum - unless it has been pointedly igonored and I have a solution.

anyway I have more things than Pixelposting in life.
Yes Sir - I am not exactly unemployed either and besides my regular job and hobbies I already am a contributor to several other open source projects :)

In case you have missed the point here - I am trying to teach devs to fish rather than give them the fish... I feel that is a better form of community service.

If you publish an Open Source software which you claim to be stable you own it to the community to give them protection. You have taken up that responsibility now shrugging it is bad form - you should gracefully hand it over to someone you deam fit - Unfortunately, I am presuming, there is some amount of in-fighting in the dev team and it now spilling out.

So please be considerate to your users... I will put out a more complete patch when I have time

I gracefully hand in Pixelpost (if I can :)) ) to someone as rude as you and you will ruin the community in days.

O Dr. O the greatest! O The biggest teacher O Please tell me to be more considerate to my users!! O great father please teach me! Please tell all people on the forum that you teach pixelpost dev team because you are the greatest!

Thanks. That was the best answer someone could give me to the hundreds of hours and hours of scripting for Pixelpost. Take care ... I don't have time for you anymore.

ROFLMAO! I don't have time for you either Ramin - but I do have for Pixelpost as I find the program useful.

I refuse to stoop down to your level. End of thread for me!

Cheers! now when I talk in you language the discussion stopped. Ballance!

Please do it. Fork Pixelpost into a better software. It's not my own property. It's not even my desire to Pixelposting for good. but please delete every part of the code that I wrote and do it again. because you have no time for me buddy. Take the chance to be the ONE.

no more post here from raminia

Ramin, I will respond to you once you start talking like an adult and are done with your tantrum!

Once again! No I am not going to fork Pixelpost and I am not going anywhere I have already written that in this thread

can we get back to the topic on hand please?

i'm not expert on xss despite reading a couple of the links se.nsuo.us kindly shared with us but if i'm not mistaken would a good (if not temporary) solution be to simply strip comments entirely of script and just leave them as plain text.

i'm happy to admit that the pixelpost team isn't perfect and neither is pixelpost despite our efforts - there's no such thing as perfect open-source software and when a problem, however basic, like this one pops up there's no use in pointing fingers at anyone. i for one appreciate all of se.nsuo.us's input into the project so ony my behalf thanks.

anyway, yeah - what are thoughts on stripping comments down to plain text? i can't see why this would be a problem and if users care so much about their smilies or whatever they use then they just don't have to install the patch...

@Joe[y] Thanks for lending the voice of sanity to the thread

Apologies to the general public for being so harsh with my words but I stand by all of them :)

I hopefully will have time later in the afternoon and will write that patch or may be a bit later!

Let us hear which tags should be allowed - my personal recommendation is (format 'tag' => 'attribute' (allowed) )

'a' => 'href', 'target'
'b' => None
'blockquote' => None
'em' => None
'i' => None
'img' => 'src', 'width', 'height', 'alt', 'title'
'strong' => None
'u' => None

Anything more needed?

P.S. the above list is taken from Flickr

we all started this project for fun, when pixelpunk created pixelpost it was because there wasnt anything like it out there, and we all just loved helping out. this isnt some super awesome wordpress like organization with a serious business mindset...yes we try to keep it on a remotely professional level, but we're not in it for that level of things...we love photography and pixelposts helps us share that. if we cant meet someones needs or expectations then there is nothing we can do about that. it's a fun atmosphere, we spend hours on end helping people setup blogs and talking about photography, and in our spare time outside life and that pixelpost takes it's form...this is our process and we depend on people to give feedback.

we've had a run of luck on this forum, i moderate in 4 other large communities, and this is one of the first heated debates we've had here. it's not a bad thing though so i urge everyone to just take a deep breathe and be chill about it. we're all here for the same reason, and pixelposts code isnt perfect. but with each thing we do together it gets closer and closer to what a userbase demands out of it.

i've thought about a revamp for the comments system for a while, a bbcode or markdown editor system would be nice for the future, but in truth outside a linkback tot he commenter, who needs the rest of those things in a comment anyway?

I am a new user to pixelpost. I love the fact that I can implement a photoblog without wasting my life trying to get my MT to function as such.

In regards to comments I can take them or not. Comments at least let me know I have been viewed and they can offer constructive criticism but I would like the ability to turn them on or off for individual entries. In addition, I see no reason to allow any html scripting for comments. I think plain text in a comment should be enough, if not at least an option.

Of course my desires are more involved than developing a rapid-fix to a current problem. I simply offer my opinions as fodder for your creative juices in the pursuit of a lean yet robust photoblogging tool.

Thanks for all you guys have done! *nod*

I love the fact that I can implement a photoblog without wasting my life trying to get my MT to function as such.

hehe. well that's exactly what pixelpost is for!


I would like the ability to turn them on or off for individual entries. In addition, I see no reason to allow any html scripting for comments.

this is something we have recently considered as well and will certainly appear in a later version of pixelpost - if not in an addon before then.


I think plain text in a comment should be enough, if not at least an option.


an option sounds like a good compromise. good thinking! thanks.

Looks like lot of people are for using plain text comments... let us hear more on this please

Im no XSS-expert, but img-tags are probably a bad idea, consider: <img src="http://evil.host/evil.php?evil=1">

Plain text comments, with the ability to add comment-addons that allow html-tags, sounds like the best idea.

I'd be all for plain text. The only advantage to HTML is for linking to commenters' web sites... but I see no need for HTML in the actual comment field itself.

Take it easy :)
Dave.

Here are two new patches for Pixelpost 1.5Beta for comments which I feel do a more complete job of preventing XSS

http://se.nsuo.us/contrib/comment-field-patch_HTML.zip - this is based on the class here http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php and can prevent all the XSS attacks outlined in the XSS Cheatsheet and still allow some useful HTML

http://se.nsuo.us/contrib/comment-field-patch_PLAIN.zip - this strips out the HTML tags and then converts anything remaining to htmlentities - in effect this will allow only plain text comments.

Hope that helps and standard disclaimers apply ;)

Thank you.

do you have patches for 1.4.3? thanks.

do you have patches for 1.4.3? thanks.
Am sorry but I do not use 1.4.x so I do not have patches for 1.4.3...

how come version 1.5 isnt official yet?

It is official - it is officially in Beta... implying that there might be small bugs, errors still left to correct. As I gather the dev team is working hard at making a stable release. I am waiting for the final 1.5 stable as well

we have one developer getting married, another sick, another busy with school/work, and I am out on photo assignments for school as well...just a very busy time of year. A few more things are left to be wrapped up and tested then a beta two or possibly a release candidate will be released for a week or two then with proper feedback a final will be released.

so the original patch (first post on this thread) is the best option if we're still using 1.4.3? better than nothing right?

Right

I may be stupid. You decide. Anyway, I've been away from here for a while and just now installed this patch. The problem is that I have a comment or two that are keeping me from seeing my comments admin page (i think), but the undeface.php file did not remove them. I uploaded the rest of the patch, so I may be safe for future attacks, but I can't remove the few that are there. Any thoughts short of deleting the posts that contain these comments?

Here's the main culprit:

http://fauxtoblog.com/index.php?showimage=204

OK, I don't know what I did, but it seems to be working now.

For some odd reason, all of a sudden, I could get to the comments admin page and I could see that the bad comments were still there. I tried to delete one and it went to a blank page. I hit the back button on my browser and the comment was still there. I deleted a different one, and then everything when back to normal and I deleted the two remaining comments. All seems well now.

Ghost in the machine I guess. :-)

Sick.