Just Journal Developer Blog

I just published an updated version of just journal. I've been working on it for awhile, but just got an opportunity to finish it.

Changes:

Half the code for tags is now implemented. You can see the tag place holders. I need to add the code to add tags when submitting a blog entry next.

Just Journal now supports RSD (Really Simple Discovery). This should allow some blogging clients to "find" the xml-rpc interfaces (like blogger api) on Just Journal.

The stats on the front page now using fixed floating point numbers so it should be much closer to adding up to 100% for public/private/friends entries. I made use of the String.format method in java.

There are some fixes for Dashboard users. Entries now assume you want comments, and emails on comments for entries.

Some error messages were fixed and I've added more logging on the comment feature to track down some bugs that seem to randomly manifest themselves.

I found a bug in the tags feature. It's listing tags multiple times on the left hand side. (oops) I corrected the SQL query and it will be updated when I role out the trackback software in the next few weeks. (probably much sooner)

 I was recently told that in some cases it's possible to hijack a session from any webapp, and that just journal had a problem with this.  I quickly went to work on this problem.  It has caused problems for big sites like MySpace and Facebook.  

What does session hijacking mean to me?

Session hijacking means stealing your login.  While you're logged into the account, someone could read your private blog entries and post entries to your account.  Anything you can do, they can do to.  They don't know your password, and can only do this while you're logged in.

What users can do to protect themselves:

1. Always use the secure login feature.  (SSL)  This will prevent the first type of attack on your account.  
2. Always log out of just journal when you're done.  Don't just leave the site.

Steps we're taking to minimize this attack

1. A review of just journal's code is pending.  
2. We're probably going to limit special characters allowed in titles of blog entries, journal titles, music, tags, etc further.  We may limit what can be pasted into blog entries as well.  The only other attack possible is stealing a session cookie which requires a cross site scripting (XSS) attack.  That means someone put javascript code on the site and used that to steal your session.

The site was down due to a hack on another site hosted on the server.  As a precaution, I brought the system down and did a fresh os install.  The attacker was not very careful and left a great deal of log evidence.  I do not believe any information was taken.  User passwords are never stored in clear text, only hashed.  If you are concerned, change your password.  

For those interested, the attacker gained access as the webserver user (not root) via a cgi program.  I have deleted the program.