Home » jAlbum forums » jAlbum Widgets

Thread Locked This thread is locked - replies are not allowed.


This question is answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 21 - Pages: 2 [ 1 2 | Next ] - Last Post: 18-Sep-2010 15:23 Last Post By: jGromit Threads: [ Previous | Next ]
hoorst

Posts: 12
Registered: 09/15/10
How to avoid security risk http://jalbum.net/widgetapi/load.js ?
Posted: 15-Sep-2010 16:40
 
hi folks,

how do i avoid that all albums contain the major security risk of loading javascript from an extermal source? i can't find any setting related to it.

regards
horst
jGromit

Posts: 25,287
Registered: 01/31/06
Re: How to avoid security risk http://jalbum.net/widgetapi/load.js ?
Posted: 15-Sep-2010 16:56   in response to: hoorst in response to: hoorst
 
Why is loading some Javascript from jalbum.net a "major security risk?" It's the same as using Google Analytics, which loads Javascript from Google.

If you don't want to use widgets, go to Album > Settings > Advanced > Metadata, and uncheck "Include Jalbum widget support."
hoorst

Posts: 12
Registered: 09/15/10
Re: How to avoid security risk http://jalbum.net/widgetapi/load.js ?
Posted: 15-Sep-2010 17:27   in response to: jGromit in response to: jGromit
 
i don't see this option. i use jalbum 8.8 on ubuntu in german and on that page it shows (translated to english):
  • use pic-data in generated pages
  • use pic-data in generated pics
  • use jalbum assitent
  • supress IE warning
  • create media rss feeds

is the switch missing or hidden behind a different translation?

on the security: if someone manages to alter jalbum.net/load.js he can immediatly infect every album ever created with jalbum with an browser-exploit and distribute trojans to many thousand PCs within days (how many hits of load.js do You have per day? do the math). to organized crime access to that file is worth a lot of money, You probably have heard about it in the news. is Your it-security as good as googles? (still i would never use google analytics for the same reason.)
jGromit

Posts: 25,287
Registered: 01/31/06
Re: How to avoid security risk http://jalbum.net/widgetapi/load.js ?
Posted: 15-Sep-2010 17:35   in response to: hoorst in response to: hoorst
 
hoorst wrote:
  • use jalbum assitent

That one. Jalbum Assistent verwenden.

on the security: if someone manages to alter jalbum.net/load.js he can immediatly infect every album ever created with jalbum with an browser-exploit and distribute trojans to many thousand PCs within days (how many hits of load.js do You have per day? do the math). to organized crime access to that file is worth a lot of money, You probably have heard about it in the news. is Your it-security as good as googles? (still i would never use google analytics for the same reason.)

If you're that worried about it, you should probably disable Javascript on your machine. In fact, you probably shouldn't be connecting to the Internet at all.
hoorst

Posts: 12
Registered: 09/15/10
Re: How to avoid security risk http://jalbum.net/widgetapi/load.js ?
Posted: 15-Sep-2010 17:58   in response to: jGromit in response to: jGromit
 
EarlyOut wrote:
hoorst wrote:
  • use jalbum assitent

That one. Jalbum Assistent verwenden.


thanks

If you're that worried about it, you should probably disable Javascript on your machine. In fact, you probably shouldn't be connecting to the Internet at all.

so how exactly does disabling javascript on my machine protect any visitor of my albums? yes, not at all, that's why i need to disable it.

and if You think You have to make the big mouth because someone is concerned about a totally useless default configuration creating security risk, i'll be more then happy to come back to this thread when the string "jalbum" appears on my security newsticker.

see ya
hoorst

Posts: 12
Registered: 09/15/10
Re: How to avoid security risk http://jalbum.net/widgetapi/load.js ?
Posted: 15-Sep-2010 22:41   in response to: hoorst in response to: hoorst
 
on a unix-webserver this command removes all the exiting calls of load.js:

grep -rl http://jalbum.net/widgetapi/load.js *|xargs sed -i -e 's/http:\/\/jalbum.net\/widgetapi\/load.js//'
SkiFreak

Posts: 3,423
Registered: 01/15/07
Re: How to avoid security risk http://jalbum.net/widgetapi/load.js ?
Posted: 16-Sep-2010 04:36   in response to: hoorst in response to: hoorst
 
If you have concerns and want to disable JavaScript on your machine then that is definitely your prerogative.
The problem is, in doing this you will find that many websites will not function as JavaScript is integral to so many sites these days.
If your issue is with loading external JavavScript, like the Jalbum widgets, then simply disable this feature. Problem solved...

i don't see this option. i use jalbum 8.8 on ubuntu in german and on that page it shows (translated to english):

* use pic-data in generated pages
* use pic-data in generated pics
* use jalbum assitent
* supress IE warning
* create media rss feeds


It's the middle option that disables the insertion of the Jalbum widget code.
hoorst

Posts: 12
Registered: 09/15/10
Re: How to avoid security risk http://jalbum.net/widgetapi/load.js ?
Posted: 16-Sep-2010 17:49   in response to: SkiFreak in response to: SkiFreak
 
@SkiFreak:
what's the difference between Your post and the last from EarlyOut ? who was that guy who once said: "everything's been said, but not everyone has said it yet" :)

anyway to make my point more clear:
  • turning of javascript in my browser doesn't protect the other viewers of my albums
  • jalbum.net/widget load.js is not needed for me so it is practically a web-bug (http://en.wikipedia.org/wiki/Web_bug)
  • further it puts all dear friends which look at my ablums at risk of someone infecting their PCs with malware for no use. all those people will call me if that happens and for some chitchat.

if this is all new to You please read:

http://www.zdnet.com/blog/security/businessweek-site-hacked-serving-drive-by-exploits/1902
http://isc.sans.edu/diary.html?storyid=4405
http://news.techworld.com/security/101475/new-attacks-break-500000-websites/
SkiFreak

Posts: 3,423
Registered: 01/15/07
Re: How to avoid security risk http://jalbum.net/widgetapi/load.js ?
Posted: 17-Sep-2010 05:52   in response to: hoorst in response to: hoorst
 
jalbum.net/widget load.js is not needed for me so it is practically a web-bug

You really are making a big deal about nothing.
If you have concerns then just turn off the widget code.
What's so hard about that?

It's not like Jalbum forces you to have the widget JavaScript included.
hoorst

Posts: 12
Registered: 09/15/10
Re: How to avoid security risk http://jalbum.net/widgetapi/load.js ?
Posted: 17-Sep-2010 10:35   in response to: SkiFreak in response to: SkiFreak
 
SkiFreak wrote:
jalbum.net/widget load.js is not needed for me so it is practically a web-bug

You really are making a big deal about nothing.


ok, that jalbum plants a web-bug might be considered a minor thing, but have you read the rest of my posting which you're not quoting?

If you have concerns then just turn off the widget code.
What's so hard about that?

the hard thing is that it took me years to accidentally find out that it is there at all. and it is bad security to have useless things enabled on default. that's what made microsoft products really insecure 5-10 years ago until they changed that habit, f.e. not running on open IIS on default. the worms code red and nimba where so successful back then because every ms-server had IIS running, even if it was just a SQL-server. that's not the case any more, ms has learned that lesson, jalbum not yet.

It's not like Jalbum forces you to have the widget JavaScript included.

hahaha, with that logic You could include a php-shell with every generated jalbum by default and if someone complains say: "you could have turned it of, what's so hard about that?".

please read the 3 links in my posting above. there are real people out there which earn money with hacking websites and load.js would be a very attractive target for them.

or ask anyone who's a bit into it-security if it's a good practice to include a central js-script, regardless of if it's needed, into thounsand/millions of web-albums.
kristoffer

Posts: 2,455
Registered: 12/07/07
Re: How to avoid security risk http://jalbum.net/widgetapi/load.js ?
Posted: 17-Sep-2010 11:15   in response to: hoorst in response to: hoorst
 
It's not like we are inserting JavaScript just for the sake of it. The JavaScript is added to enable widget functionality: http://jalbum.net/widgets/info

As the other guys have said, if you don't want to use these features you can just turn them off.
SkiFreak

Posts: 3,423
Registered: 01/15/07
Re: How to avoid security risk http://jalbum.net/widgetapi/load.js ?
Posted: 17-Sep-2010 16:25   in response to: hoorst in response to: hoorst
 
the hard thing is that it took me years to accidentally find out that it is there at all
Have you been using Jalbum for years?
It looks like you just signed up, but maybe I am wrong...
jGromit

Posts: 25,287
Registered: 01/31/06
Re: How to avoid security risk http://jalbum.net/widgetapi/load.js ?
Posted: 17-Sep-2010 17:14   in response to: SkiFreak in response to: SkiFreak
 
... and Jalbum widgets haven't been around for years. It's a fairly recent introduction.
hoorst

Posts: 12
Registered: 09/15/10
Re: How to avoid security risk http://jalbum.net/widgetapi/load.js ?
Posted: 18-Sep-2010 11:35   in response to: kristoffer in response to: kristoffer
 
kristoffer wrote:

As the other guys have said, if you don't want to use these features you can just turn them off.

as i've said before i wished it wouldn't have been enabled in the beginning and turning it of didn't magically fix it for all the albums created in the past.
hoorst

Posts: 12
Registered: 09/15/10
Re: How to avoid security risk http://jalbum.net/widgetapi/load.js ?
Posted: 18-Sep-2010 11:37   in response to: SkiFreak in response to: SkiFreak
 
SkiFreak wrote:
the hard thing is that it took me years to accidentally find out that it is there at all
Have you been using Jalbum for years?
It looks like you just signed up, but maybe I am wrong...

yes, you are wrong because as you should know it's not needed to sign up in the forum to use jalbum.
Legend
Forum admins
Helpful Answer
Correct Answer

Point your RSS reader here for a feed of the latest messages in all forums