Announcement

#16 2013-01-26 12:16:15

tom_rosenback
Member
2013-01-26
1

Re: Secure Images

Me to see this as a security issue. One way to solve this is to move the physical image storage outside the www directory. This way no one without access to the album will have access to the file even if they have the direct link, all access will go then through the database. I don´t know if this is possible but it would solve the access issue.

regards,
Tom

Offline

 

#17 2013-01-26 16:14:02

pewe
Member
2012-03-16
439

Re: Secure Images

tom_rosenback wrote:

Me to see this as a security issue. One way to solve this is to move the physical image storage outside the www directory. This way no one without access to the album will have access to the file even if they have the direct link, all access will go then through the database. I don´t know if this is possible but it would solve the access issue.

regards,
Tom

For those that regard security as an important issue, try this as an alternative:

I have set up a test album which has 2 levels of protection - either one or both can be used depending on requirements.

Go here
http://remotetutorials.com/photos

You will find you cannot see the home page, instead you are presented with a login request.

This is the first level of protection which prevents access to ANYWHERE in the Piwigo installation.

To get in use the following
e-mail address: piwigo@domain.com
password: letmein

You will now be directed to the gallery home page.
On the left at the top is a Link block called 'Login Protected Area'. The second link in the block called 'Log out of site access' will log you out of the site when you are finished.

When you get in to the gallery you will see 3 albums

Locked - this is an album with the second level of protection
File Uploader - a test of a plugin for files
Locked2 - an unprotected album

You will notice the missing thumbnail for the 'Locked' album. This is because the folder where the thumbnails and re-sized images are stored is 'protected' using the second level of protection.
Click the album name and this takes you to the album where once again the thumbnail is missing. Click the file name shown where the thumbnail should be and you will will be taken to the image page which is also void of an image and only shows the name (plus the purchase option to buy using the paypal plugin).

At this stage go back to the album page and click the link on the left at the top called 'Login for Protected Albums' - this will open a login page in a separate window where you can login using
username: piwigo
password: letmein

The login will open your member page - leave this open and go back to the album window and now you will be able to browse the album and see all the available image sizes.

To logout of the 'protected' album access, go to the 'member' window and log out.

As I said earlier, either one or both of these protection methods can be used separately or together.

Feel free to test them to find any loopholes in the protection, and if you find any please let me know.

I am no coder, but I am sure that this facility could be coded as a 'plugin' for Piwigo - any coders interested in having a go??

Last edited by pewe (2013-01-26 16:14:53)

Offline

 

#18 2013-01-27 21:41:52

Kalle
Member
2012-08-17
89

Re: Secure Images

Is it possible to use PHPMembers with a different subdomain?

my Piwigo Gallery is installed as subdomain without using a subdirectory in the final link.

Last edited by Kalle (2013-01-27 22:49:40)

Offline

 

#19 2013-01-28 00:23:32

pewe
Member
2012-03-16
439

Re: Secure Images

Can you give an example of your link structure and your server directory structure.

Last edited by pewe (2013-01-28 00:45:13)

Offline

 

#20 2013-01-28 19:35:13

Kalle
Member
2012-08-17
89

Re: Secure Images

piwigo is installed in /webspace/piwigo as domain root and started with http://piwigo.mydomain.tld

i want to install phpmembers at /webspace/phpmembers and use http://phpmembers.mydomain.tld for it.

Offline

 

#21 2013-01-29 14:06:09

pewe
Member
2012-03-16
439

Re: Secure Images

Sorry for the delay in answering - I had to test it out and it does work with subdomains.

My installation of PHPmembers is on www.remotetutorials.com and I have set up a subdomain at piwigo.remotetutorials.com, which I can protect using the PHPmembers on the main domain.

Apparently PHPmemebrs will work OK with sub-domains, but not with cross domains where the domain is not the same name - a cookies issue.

Offline

 

#22 2013-01-30 01:32:22

Kalle
Member
2012-08-17
89

Re: Secure Images

How looks your directory structure of the test?

phpmembers can't be installed in a subdirectory of the application it should control. True?

Offline

 

#23 2013-01-30 02:05:07

pewe
Member
2012-03-16
439

Re: Secure Images

True.
If you put it in the 'piwigo' sub domain you have no access.

The structure you need is
http://phpmembers.mydomain.tld with your phpmembers installation. In this set up a 'protected folder' at  /webspace/piwigo.

That should do it.

Offline

 

#24 2013-01-30 18:10:40

flop25
Piwigo Team
2006-07-06
7037

Re: Secure Images

hi all
just to warn you've tested it and found a flaw
I will just talk to the issue when a user is already granted : a geek like me -I'm not a programmer- can set the cookie like this one phpmem_auth_groups=.1-d0988c45656efbe154c9c37416877b5e..2-159616d8ad851a6df26dba4b125f84aa..3-0a6abe11852ce00d64e86f282441be23.; path=/; domain=localhost and get the access to protected folders
So it's not as obvious than a simple link - it requires a link and a cookie (which can to set to never expire - but still easily done without getting id/pwd.
Anyway, a granted user is granted one! so he can still give its id/pwd. Yes this script will prevent basic users to get the url and copy/paste it by error


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#25 2013-01-30 18:51:12

pewe
Member
2012-03-16
439

Re: Secure Images

Thank you for the feedback flop.

Obviously PHPMember is not a top security package as it is free, but I think it could be very useful as a deterrent for most Piwigo users who want to make their installations harder to view for non authorised visitors.

I can't imagine to many people would be passing on cookie details to others to break in to a site -although one never knows.

Just as a matter of interest, if someone was given the details from a cookie, how would they fake it in their browser such as firefox?
I don't know how to do it (never had a need to do it) and a brief search has not yet given me any positive answers.

Offline

 

#26 2013-01-30 18:54:54

flop25
Piwigo Team
2006-07-06
7037

Re: Secure Images

pewe wrote:

Just as a matter of interest, if someone was given the details from a cookie, how would they fake it in their browser such as firefox?
I don't know how to do it (never had a need to do it) and a brief search has not yet given me any positive answers.

just need to create the cookie with the info provided, using a module which allows that for firefox like Cookies Manager+ mainly


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#27 2013-04-28 14:28:49

gwp
Member
2013-04-28
2

Re: Secure Images

Hello all, first post so be gentle :)
I am currently uploading your gallery to my site, so havent really had chnace to try your gallery yet, but

you could try this .htacess file in the root of your albums.
I am assuming that all your albums are in public_html\piwigo\galleries
so you could have
\galleries\album1
\galleries\album2

and your large images are stored in these folders, below the /galleries folder.

----------------
RewriteEngine On
RewriteCond %{HTTP_REFERER} !galleries/index\.php\?level=\w+&id=\d+$ [NC]
RewriteRule /large/.+\.jpg$ http://YOURWEBSITE.co.uk/index.html [L]
---------------

You will need to change the url of YOURWEBSITE.

what this does .....

lets say you have an image in folder1 called image123.jpg and you also have an image in folder2 called image456.jpg

if the visitor gets the full url from your website to the large image at:
www.myco.uk/piwigo/galleries/folder1/image123.jpg

they then copy the url, and paste it into an email (or whatever) to a friend.
if the friend then opens that url, the script will redirect them to your homepage.

this script will protect in the same way, any image in any folder under the /galleries folder.

Last edited by gwp (2013-04-28 14:34:00)

Offline

 

#28 2013-08-19 21:52:30

GOPIWI
Member
2013-08-19
27

Re: Secure Images

Hi,

to the OP: I would like to suggest to take a look into http authentication - it is not so complicated to setup apache webserver to authenticate users, see an explanation e.g. here.

This way it is not possible to read the images without authentication, however you get all-or-nothing, so public albums are not possible with this solution, also more complicated setups with access to several groups / users to different albums will not work as expected, as long it is not directly supported by the piwigo authentication process, but you can setup a private gallery without too much hassle.

Have a nice day,
John

Offline

 

#29 2013-08-19 23:22:35

GOPIWI
Member
2013-08-19
27

Re: Secure Images

Hi,

I just learned that piwigo supports http authentication - just use 

Code:

$conf['apache_authentication'] = true;

in your config.

Please read on here:

http://piwigo.org/forum/viewtopic.php?p … 02#p145502

Have a nice day,
John

Offline

 

#30 2013-08-21 06:59:48

hkdigit
Translation Team
Hong Kong
2013-05-23
89

Re: Secure Images

It does not prevent copy and paste URL to see the image, but below can prevent it show on other site.

http://www.htaccesstools.com/hotlink-protection/

Hope this help a little bit.

IMHO, there is no 100% safe way for secure once it put online.

Offline

 

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2022 · Contact