Piwigo.org

Kalle · 2012-09-10 10:07:15

There is a huge security issue that need to be closed.

Nobody without permission should has any access to the photos. But looks like, everybody how knows the direct URL can access to the image files. That's strange and a problem. Why Piwigo has an user authentification, if anybody with technical knowledge can access all photos.

The solution: Each photo view request should be done from the server by php, and with htaccess the direct access to the files can be limited to the application.

flop25 · 2012-09-10 17:34:17

Hello
it's not a security issue. With the new multisize generation, the parameter "View hD" which is now "View Original" needs to be rethink.
But to access to the pictures you need to know the file name and the folders name. So you need to access to the thumbnails : if you use the permission on user/group, then can't access to the album so they can't access. If you use privacy levels on pictures and you have incremental file names, they can access.
The biggest problem is about the access to the Original : as I said, it's new so it will change

Kalle · 2012-09-10 19:30:33

The problem is: People, who know the direct link of a picture, can give this link to other person, and they can view the picture without authentification. To solve this, you need to change the filename every day.

Or it must be send by php to the browser, without the orginal filename and and from a not directly accessable folder.

flop25 · 2012-09-10 19:34:46

WOW
This case is not even handle at all by major websites as Facebook!
I think this will never be handle by Piwigo. The user will always be able to send a picture he can access ; screenshot etc

Kalle · 2012-09-10 19:38:53

Yes, the user can send, but for that the user must first safe the file.

You told me about facebook, but did they show the foto of a private galerie? No, they don't.

flop25 · 2012-09-10 19:41:27

Kalle wrote:
You told me about facebook, but did they show the foto of a private galerie? No, they don't.

???
I have a private profile, all my pictures are private but my friends which have access to my photos can still copy/paste the url of the image!

flop25 · 2012-09-10 19:47:46

is a picture of one my friend : as you can see you can access it !

Kalle · 2012-09-10 19:49:10

I'm sure, that your photos can't be viewed by people outside of facebook.

I did the test with the facebook pictures of a friend. Copy the link, logout from facebook and insert the link to the browser. You will get an error message.

flop25 · 2012-09-10 19:51:03

Kalle wrote:
I'm sure, that your photos can't be viewed by people outside of facebook.

I did the test with the facebook pictures of a friend. Copy the link, logout from facebook and insert the link to the browser. You will get an error message.

see the picture above ?

Kalle · 2012-09-10 19:56:05

ok, you win with the facebook - shit.

I know about other galerie software without this security hole. For example, with Gallery 3, that does not work. But I don't like the software because of other limitations.

jpope · 2012-10-22 00:49:12

This is a huge privacy hole. If an album is set to private, nothing within the album should be visible. Period.

Maybe I just have a configuration issue but, the attitude that 'if Facebook allows it' is the goal for Piwigo, count it uninstalled from my server.

Thanks.

Last edited by jpope (2012-10-22 02:01:16)

mendip_discovery · 2012-10-22 11:08:18

If a Album is set to private and has user access controls to control who can look at them then it is safe. If someone gives out the address to the Piwigo page for that image the image is still safe.

The problem begins when people give out the direct URL (address) for the image itself. This is not secure, but there is very little people can do about it. IIRC there was some .htaccess stuff that was written to make stuff more secure but the problem is that it didn't work correctly on some server set ups causing the site not to work.

If you ask someone might give you the details.

Jack
btw I think you will find Gallery has had the same issues and has tried to prevent it but its hard to do so effectively without breaking the website.

flop25 · 2012-10-22 12:06:01

@mendip_discovery thx for your great answer

the Facebook arguments is not an excuse. It's just to explain how the web is. A htaccess protection will be implemented but there can be side effect.

Kalle · 2012-10-22 12:55:47

Not all Gallery systems have this issue, i told an working example.

The function can be optional, and is only needed for private albums.

Kalle · 2012-12-17 21:28:48

flop25 wrote:
A htaccess protection will be implemented but there can be side effect.

Is this feature planned for the next version?

To limit the side effects, you can make this feature optional.

Piwigo.org

Announcement

#1 2012-09-10 10:07:15

Secure Images

#2 2012-09-10 17:34:17

Re: Secure Images

#3 2012-09-10 19:30:33

Re: Secure Images

#4 2012-09-10 19:34:46

Re: Secure Images

#5 2012-09-10 19:38:53

Re: Secure Images

#6 2012-09-10 19:41:27

Re: Secure Images

Kalle wrote:

#7 2012-09-10 19:47:46

Re: Secure Images

#8 2012-09-10 19:49:10

Re: Secure Images

#9 2012-09-10 19:51:03

Re: Secure Images

Kalle wrote:

#10 2012-09-10 19:56:05

Re: Secure Images

#11 2012-10-22 00:49:12

Re: Secure Images

#12 2012-10-22 11:08:18

Re: Secure Images

#13 2012-10-22 12:06:01

Re: Secure Images

#14 2012-10-22 12:55:47

Re: Secure Images

#15 2012-12-17 21:28:48

Re: Secure Images

flop25 wrote:

Board footer