thanks for the hotfix, hns (please commit it to cvs). nevertheless i think we have to tighten the login-procedure in antville, and possibly some features have to vanish. and thanks to nosleep for your posting.

Thank you for the quick response. Cross site scripting has been an issue with many applications which use the cgi, and a faked login on another server is a different approach as a customized one the same server - imho. Since antville allows users to modify and enhance the look and feel of their blogs its quite impossible to overcome this issue (scanning the modified skins is an issue even if you use heuristic or other ways to detect them). One option is to deny custom forms - even worse. Another option is a SSL/TLS secured central login (even bad, you can still spoof certificates, people are still not aware of that, it won't help either). A nice try would be a form with a one-way hashed value as hidden tag inside a server generated login form (that isn't customizeable) i.e. <% logmein %> and the hash value is checked within the login to overcome spoofing and issue an alert if the value is missing - I have to put on my thinking cap to make it bulletproof. I am still to lazy to check out the source and step into more details of antville (I still have some issues about search-engine optimization, and the whole page-creation process but I am sure you guys don't like to hear this (o;), my apologies for that.

Its always hard to implement trust in an open enviroment where subscribers are able to modify many paramters. I will think about it, maybe there is a way to implement it or to put it in other words: Insisting on perfect safety is for people who don't have the balls to live in the real world. -- Mary Shafer, NASA Ames Dryden

IMO that approach isn't any good. it's nice of nosleep to document the issue and of you to try to prevent abuse, but you simply can't prevent a weblog creator who's allowed to integrate HTML without restrictions from fooling his visitors. restricting features will definitely annoy blog owners who lose control over their creations, but it won't help protecting innocent visitors, because a workaround that will still fool many of them can always be implemented.

a better approach would be educating the users. for example, making them log in at the "safe server-level login" by default and putting a message there that warns them of loging in anywhere else, and/or generally putting a little explanation on the login pages. because no matter what you do, it's always up to the user to check the url when logging in. anyone can clone the exact look of the "safe login", except fot the exact url. what you can do is pay attention to reports of malicious behaviour, ban malicious users and try to reverse any damage they've done. what you certainly can not do is provide a significant security improvement without employing siginificantly more secure technology (like kerberos or something, which cannot be properly integrated with the present-day browsing look&feel anyway).

update: in reply to nosleeps new comment: you provided some very good and usable ideas there, but in order to make them work several more restrictions would have to be implemented. one of them would have to be banning links to other sites, because i can always put a clone of part of my blog on another site.

Delivering clue to users is a possible solution, you are very right. I am still trying to solve a social issue with a technical solution. And yes, I like it. (o; Kerberos isn't a solution and won't integrate into antville, thats clear even without knowledge about the source. I am thinking about a solution that does not interfere with antville and makes it not possible to spoof a login on a malcious blog thats all, thats not easy, maybe a simple cookie with a fixed location in the URI or another token helps to solve the issue, maybe I should get the source. I am still thinking on it.

Nobody can protect you from someone that clones your blog and spoofs your blog externally, thats not the goal, the goal is to make it impossible to use custom forms within the login procedure, thats all. External spoofing is not to overcome. I find this problem quite intresting, maybe there is no solution - but I don't think so at the moment.

at home and in the office.

but it may have been just a couple of restarts. it's all working fine now.

Cookie doesn't work.

we had to do some changes regarding the the remember-me feature. tomorrow i'll explain why it doesn't work anymore under certain circumstances. sorry, but i'm too tired now.