#1 2018-07-17 09:28:46


Phishing potential due dynamic gallery URL

I just received multiple Piwigo 2.9.4 update notifications ("Time has come to update your Piwigo...") which contained interesting links such as "" and  "". I confirmed the messages were really sent by my own Piwigo instance located on a whole different URL.

The reason is most likely a combination of the following:

1) My instance can be called by any random hostname by "spoofing" the DNS name (since it's running under a default website which does not explicitly require a specific DNS name)
2) The mail notification functionality utilizes function get_absolute_root_url which in turn uses a HTTP header value from a browser request.

The result is a little discomforting at least. It gives the impression that the instance has been hacked and it's possible to generate phishing emails by repeatedly calling the gallery by made-up hostname. I'm uncertain what's the best approach here, but there are a few possible solutions:

a) Should all administrators simply fix 1) so that the gallery can only be called by specific hostnames?
b) Or should the base url be set in a more static way than deriving it from a browser request (such as explicitly asking for it when installing)?
c) Or is it perhaps best to remove links from the notification messages altogether?
d) ?

Comments welcome :)



#2 2018-07-17 14:01:50

Piwigo Team
Nantes, France, Europe

Re: Phishing potential due dynamic gallery URL

Hi ferryman,

Thank you for starting this discussion. I had not seen the potential issue here.

I like, very much, the fact that a give Piwigo can be reached from several urls (it makes several operations much simpler).

Removing the link would be a solution, but keep in mind that all emails sent by Piwigo have a link inside, with the same potention issue :-/

Latest blog post (November 9th 2018) Why Flickr could not remain free for ever



Board footer

Powered by FluxBB

github twitter facebook google+ newsletter Donate © 2002-2019 · Contact