Pages: 1
A colleague who hadn't yet registered on my site just told me that he could access the photos from his phone without having registered. However, he couldn't get beyond the registration dialogue when visiting the site by his computer.
I've no idea yet if this serious security breach is dependent on phone OS. My colleague hasn't responded to my question yet. In any case this is irrelevant: A security hole has been identified and must be closed.
Piwigo version: Piwigo 2.7.4
Operating system: Linux
PHP: 5.6.17 (Show info) [2016-02-22 16:42:32]
MySQL: 5.5.5-10.0.21-MariaDB [2016-02-22 16:42:32]
Graphics Library: External ImageMagick 6.9.2-7
Piwigo URL: http://heviifoto.no-ip.info
Offline
FYI: The Smart Pocket (mobile theme) is also enabled on my site.
Offline
[Forum, topic 24607] Some folders without protection?
[Forum, topic 21104] Private photos are publicly accessible?
and some (many) other
now it would be interesting to know how he accessed the files
Offline
The albums which he accessed are indeed "locked". If they were not, my "unregistered" colleague would have also been able to see them on his computer.
Last edited by heviifoto (2016-02-22 23:08:28)
Offline
The affected OS: android version 5.0.1
It would be prudent to check others.
Offline
I am surprised that nobody else finds this to be a serious security problem.
Previous concerns were about anybody being able to see a locked photo if they had the url. This security chasm where so-called locked albums can be viewed on smartphone browsers doesn't even require the urls to be known!
Why isn't anybody else concerned about this??
Offline
I feel concerned. I'm going to check.
Offline
Thank-you, plg!
Offline
I juste made a test with a web browser on Android 6.0.1 and I see no more content than on any other web browser on my Linux desktop. I need more details to understand how your colleague saw your content.
Offline
Well, this is quite perplexing. My colleague writes:
"...as now i cannot access any photos on my phone. Previously, I was able to see a series of albums, sorted by countries - mostly African and European..."
The only thing that has changed was that I registered him -after- he told me that he could already get into the site. I understand why he can't see anything now (he hadn't confirmed his registration) but I have no idea how he was able to initially view my photos.
Last edited by heviifoto (2016-02-27 17:55:11)
Offline
Pages: 1