Hello, this is my first time here.
I've realized that there's a weak point using watermark tool. There's a way to obtain the original file without the watermark.
The way to obtain the original file is to get de dynamic image url:
/domain.com/i.php?/upload/2013/01/28/20130131000001-66b88f69-me.jpg
and then, you can get the original file url by just deleting two things.
/domain.com/i.php?/upload/2013/01/28/20130131000001-66b88f69-me.jpg
/domain.com/upload/2013/01/28/20130131000001-66b88f69.jpg
By my point of view this is kind of a bug...
Last edited by c.urrutia (2013-01-31 19:06:37)
Offline
To stop this, the upload and galleries directories (where the original images are stored) need protecting to stop direct access.
Offline
pewe wrote:
To stop this, the upload and galleries directories (where the original images are stored) need protecting to stop direct access.
You are right! =)
.htaccess correct this problem, but maybe for unexperienced users that's a difficult solution.
Thanks for your support! =)
I share the way to solve this...
First of all, you need ftp access to your server, then you need to create a users dot-file (to make it hide from the internet) like .htpasswd and a second file named .htaccess (into the folder that you need to protect)
You can fill your users & passwords file (.htpasswd) using this generator: www.htaccesstools.com/htpasswd-generator/
and then, you can copy this into your .htaccess file:
AuthType Basic AuthName "Restricted Area" AuthUserFile .htpasswd AuthGroupFile /dev/null Require valid-user Order allow,deny Satisfy any
Last edited by c.urrutia (2013-02-01 04:39:54)
Offline
Hmm much simpler
Deny From All
in the .htaccess
Since you put a watermark and non one is allowed to see the original that's the best way
Offline
c.urrutia wrote:
pewe wrote:
To stop this, the upload and galleries directories (where the original images are stored) need protecting to stop direct access.
I share the way to solve this...
If you - or anyone else - is interested I have a script which can be installed on a server and it allows Admin to specify any directory on the server (using an explorer type interface) and add an .htaccess file to it, then allows admin to addd/elete users to any protected directory by creating/adding/updating an .htpassword file for the directory.
If interested, send me a PM.
Offline