Announcement

  •  » Requests
  •  » Website Security - Hackers killed my galleries

#1 2013-05-21 15:13:35

CanaGuy
Member
2011-06-13
20

Website Security - Hackers killed my galleries

I procured a website/domain from a web-host provider to share photos amongst my family and relatives.  The only feature of my site was Piwigo (2.4), there was nothing else.  Access to all galleries was by password only.

Hackers (from Austria, apparently) got in and destroyed everything to such an extent that I had to have the host provider reset the website to "zero".  I lost everything, with the exception of a gallery "mirror" backup on my home machine.  I have since re-initialized the website and installed P2.5.1.  So far, so good....works great!

However.  My host-provider said the site crash was due to security holes in Piwigo.  Essentially, I don't know what I did that enabled the hackers entry to destroy my site.

MY REQUEST:

You need a separate section about Gallery Security on your main website pages....with tips, protection software suggestions, advanced Piwigo settings, general prevention against hackers, etc. 

By the way, do you have any suggestions for me to better protect my galleries?

Thanks for great software.....even though it was severely hacked, I'm giving it another try because it's the best around IMHO.

Offline

 

#2 2013-05-21 16:35:31

flop25
Piwigo Team
2006-07-06
6920

Re: Website Security - Hackers killed my galleries

Hello
do you have any technical detail?
Because it's quite easy and handy for a hsoter to blame a script he doesn't know

Are you on Windows?

A special section abbot security? Why? To put what inside? I don't get it. Just subscribe to the newsletter to know the latests updates available and the urgent security issues


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#3 2013-05-25 12:47:30

helmuc
Member
Maidstone, UK
2013-05-23
71

Re: Website Security - Hackers killed my galleries

CanaGuy wrote:

MY REQUEST:

You need a separate section about Gallery Security on your main website pages....with tips, protection software suggestions, advanced Piwigo settings, general prevention against hackers, etc.

hummm.. sounds like a good idea

I do agree - it would be really nice to have a sub-section called "Piwigo Security"


http://www.artforweb.co.uk - Royalty free public domain photos (CC0) for personal and business needs..

Offline

 

#4 2013-05-25 13:01:24

flop25
Piwigo Team
2006-07-06
6920

Re: Website Security - Hackers killed my galleries

But...  There's no specific action for Piwigo. The best we could do is on the installation page, a warning to inform the users to not use the same password for ftp, database and admin account


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#5 2013-05-25 13:19:40

pewe
Member
2012-03-16
439

Re: Website Security - Hackers killed my galleries

I agree with Flop.

Hosting companies will pass blame on to third parties (such as developers) very often because the technical support staff are not always 'experts' and it's the easy option.

If they have blamed a package then ask them to provide specific details of what it is about the package that makes it vulnerable so you can feedback to the developers.

If they can't give you a specific answer, ask them how they came to that conclusion without evidence that they can explain.

If they can't come up with an answer, ask them for copies of the server log to analyse, and if they won't do that it tells you something about the host.

If they do come up with an answer - then report it to the developer with full details so they can consider the issue.

Offline

 

#6 2013-06-06 11:49:25

yvesbe
Guest

Re: Website Security - Hackers killed my galleries

@flop and @pewe:

I think that the need of security help doesn't spot piwigo itself, but asks to be informed about "good practices" .

I have a direct sample that should be documented:
- To web install piwigo you should create a directory with chmod 777, or it won't install.
Once installed and configured, piwigo runs in a subdirectory of that one,
but you're not told anywhere , or not clearly if you are, to change back the permissions on the parent directory.

If you don't , anyone can upload and run anything there.
And don't try to decrease it to 655, or piwigo won't execute anymore, you should stay at 755.

Such security tips are not piwigo specifics, but server configuration.

A kind topic in piwigo install manual that would remind users to pay attention to that , and other stuffs like, would be verry usefull and would , by side, increase piwigo's security.


IMHO, at least :)

 

#7 2013-06-06 12:03:49

flop25
Piwigo Team
2006-07-06
6920

Re: Website Security - Hackers killed my galleries

777 is not required: were you talking about the Netinstall

777 is not the evil! It just unsafe: people can't access directly, they still need a vector (not secured php, hole in a process etc)

If you want to contribute, you're very welcome! Just tell me and I create a Wiki account for our doc
It's written on the forum and only once in the doc that we recommend "Chmod : 755 folders, 644 files"


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#8 2013-06-09 01:10:14

aviceda
Member
2013-06-09
8

Re: Website Security - Hackers killed my galleries

Just installed P v2.5.1 as I liked the idea of  database type structure in albums but was initially worried when i was advised to CHMOD to 777, however I noticed that that has been addressed earlier.  Then I received an email confirmation of my installation (which I realise I had asked for...) but why do you post a copy of my unencrypted password details back.....surely this is visible to anyone as you are not using a secure-connection?
I'm not a genius but I thought these issues had been fixed by most other similar software years ago.
Would love to hear your thoughts....
Tom

Offline

 

#9 2013-06-09 10:42:11

flop25
Piwigo Team
2006-07-06
6920

Re: Website Security - Hackers killed my galleries

The password is stored encrypted and salted
The "send an email with password" feature was added after the one of wordpress! And not using ssl for login is a real problem than a single email


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#10 2013-06-09 11:19:44

aviceda
Member
2013-06-09
8

Re: Website Security - Hackers killed my galleries

Hi Flop25,
I've enjoyed working with Piwigo today (see www.aviceda.org/piw) but I'm still a bit apprehensive of the security aspects. Recently a hacker got into one of my Joomla! pages, created havoc and I thought that it had more security (no CHMOD 777, .htaccess included etc) than Piwigo.  Any more tips to 'lock-down' the site would be gratefully received,
Tom

Offline

 

#11 2013-06-09 17:58:41

flop25
Piwigo Team
2006-07-06
6920

Re: Website Security - Hackers killed my galleries

Well they are the same as for any software and system (a server is a computer): update regularly (subscribe to our newsletter), anti-virus and firewall, inspect logs...
if you're on a shared hoster, the only thing you can apply is to update frequently


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 
  •  » Requests
  •  » Website Security - Hackers killed my galleries

Board footer

Powered by FluxBB

github twitter facebook google+ newsletter Donate Piwigo.org © 2002-2019 · Contact