Comment Field Patch

[blinking8s+]

ok, so after a few delays on the path...we have the comment field patch available for you.

Download Link:
http://pixelpost.org/releases/commen...tch_012906.zip

Inside contains the file to clean the "defaced" comment from you pixelpost photoblog, as well as files to replace for both pixelpost 1.4.3 and pixelpost 1.5beta. There are brief instuctions for all cases included as well.

We're sorry for the extended delay, it was ready about 24 hours ago and I got swamped, so totally my fault.

If you have any questions, please post in the 'Pixelpost Help' section.

We'd also like to send out a super special thanks to the active members here on the forum, we're not around 24/7 and it was awesome to see people coming together, even inspired the dev team to branch off some new ideas and really prepare to give you some awesome ideas and products in the future.

[se.nsuo.us]

I just had some time to test the patc provided and I don't want to be rain on your parade but I am sorry to say that the provided patch is as amatuerish is the original attack

Try putting

HTML Code:

<IMG SRC="javascript:alert('XSS');">

in the comment and view it in Internet Exploder.

NOTE this is just one of the several possible exploits.

Also to who so ever implements the newer patch adding IMG to your solution will not work as there are several other tags which can be eploited.... I have given better solutions on the forums in other threads. Implementing XSS input filters is in principal same as implementing firewalls - You first shut each and every port and then start opening only the ports you require - you CANNOT do it the other way round that is shut only those ports which you consider *might* be harmful

To the devs who have wrtten to me that I should not make information public I would like to point out that solutions to the problem were pointed out but not implemented - Users of Pixelpost now have a right to know

Hope that helps...

[raminia+]

thanks but be more considerate. I've asked you to send me info but you didn't. (you published it on the forum) and I was so busy to follow.

anyway I have more things than Pixelposting in life. there was another option to strip_tag all but it will hurt others. IMG tag was there and I didn't consider that kind of attack. That's my fault but I'm not so that evil amateur. I think you can publish a better pach if you will. That's called community service!

[blinking8s+]

haha...well in that case, stripping the entire field would indeed be the better thing to do.

[se.nsuo.us]

I don't think putting users to risk should be a laughing matter for Open Source developers

I guess I will put out my own solution soon - long live Open Source

[blinking8s+]

Well, you can be stern and think that im laughing at the fact there are holes in some chunked up code and is at an idle state of development lately and just stick your nose up and say you are going to do your own thing...or you can stick around and help out, not like we have had a super active staff around here lately. It's been the holidays and we're all busy getting back together now...

and sorry, but it is funny when less that 24 hours something is given a patch, you turn right back and post it here that somethign is wrong with it again

[se.nsuo.us]

Quote:

Originally Posted by blinking8s

and sorry, but it is funny when less that 24 hours something is given a patch, you turn right back and post it here that somethign is wrong with it again

So what should I do?

After pointing out that the solution which you suggested is not the right solution in a private message I still see the same thing being handed out to users as a patch!!

And please think again who is sticking around and who is sticking nose in the air - like I said I will put out a solution which I feel is better... and I stuck around on the forums helping when most people were gettting hit!!

Hmmm... or should I write a bot which googles for Pixel post signature URLs and then goes and posts *Defaced because Pixlepost developers don't care!!*

Heh! come to think of it one can easily craft a comment which can do the above and thus self propogate - an XSS worm! Now that would be creative and Pixel Post will be famous

Also let me put it out in open that I have got atleast 3 offers to fork Pixel Post along with them which I have declined - I don't like to break teams and communities but foster them...

So wether anyone likes it or not - I am staying here and calling spade a spade and everything else whatever it deserves to be called...

Cheers

[blinking8s+]

The mix up lies with miscommunication between all of us and ramin who pulled together the first working patch that he had, which wasnt perfect, we dont have a fulltime staff and amazing awesome development system that leaves cool notes for each other like I have seen in the past, people even always want access to CVS but it's led to more problems that anything in the longrun because files get mixed up on checkout and waiting on other users and such...a lot of what is here is a compalation of what people have added and pieced together, during the holidays it's all fragmented and when we're doing our best to piece it back together things do get lost in the translation.

The way you formatted saying you would put out a solution doesnt read quite like you wanted it to I believe, and my mistake, but I took it as a form of threat to the community. It's all good and there is no reason to be heated, but if you read through the threads there are different people saying different things all the way through, and Ramin put the first solid thing together he could, and it got mixed up.

I'd love it if you would submit a straight forward solid solution, that's what this community is all about. If something is directly wrong and you can submit a corrected file with a commented fix that we can track down the changes made for development and release, even send out as a corrected patch...that would rock.

And I spoke with you before over IM about a future cleanup, it sounded like you had some good ideas and I would love to include you in all of that.

[raminia+]

hey ! where is my post here?

why my posts are moderated here and not published? why!?

ٍEDIT:
Thanks to blinking8s, it's fixed now.

[blinking8s+]

Sorry raminia...I dont know why it had the moderation que switched on...things should be cleared up with it now