Announcement

#16 2022-11-01 19:33:47

bluebrad
Member
2020-05-11
3

Re: Pictures limited to "Admins and Family" visible with direct link

i tried to block direct access with htaccess but its still not working.
We need to have direct image access blocked so its more secure. ill be using my system to manage sensitive images and would like to insure there security

if i navigate to an image and right click on that image and open in new tab i can see the link and the image.
https://<sitename>/upload/<year>/<month>/<day>/<image name>
this is a security flaw.
i need this to be more random and not accessible outside the application.
meaning if i create a script to make random names i can see all the images in the site and know when there uploaded. NOT GOOD.

when i block it with htaccess it disables me on the site also.

im no expert but maybe something like this?
https://stackoverflow.com/questions/399 … -to-images

Last edited by bluebrad (2022-11-01 19:36:46)

Offline

 

#17 2022-11-02 03:06:36

erAck
Only trying to help
2015-09-06
2059

Re: Pictures limited to "Admins and Family" visible with direct link

bluebrad wrote:

ill be using my system to manage sensitive images and would like to insure there security [...] i need this to be more random and not accessible outside the application.

Then Piwigo is not the right system for you.

meaning if i create a script to make random names i can see all the images in the site and know when there uploaded.

That script would have to try 60*60*24*2^32 = 371085174374400 possibilities per day directory to get all hits. Probably only 1/2 to 2/3 of possibilities because most uploads aren't done late night or early morning. Whether that's feasible and realistic for your site you'll have to judge yourself.

Anyhow, if images shall not be accessed with an already known URL like someone viewing an image can obtain any time and pass on (apart from that screenshots exist anyway), you'll need a completely different approach than what Piwigo does.


Running Piwigo at https://erack.net/gallery/

Offline

 

#18 2022-11-29 21:04:28

bluebrad
Member
2020-05-11
3

Re: Pictures limited to "Admins and Family" visible with direct link

what im looking at is making the system secure to only logged in users.
This way it will protect against robot extractions. or the illegal shares of images.
i feel this should be apart of the system by default.

i have replayed to this on GITHUB [Github] Piwigo issue #1349

allowing the URL to be open to scraping allows any images marked for login access still available to attack.

erAck wrote:

bluebrad wrote:

ill be using my system to manage sensitive images and would like to insure there security [...] i need this to be more random and not accessible outside the application.Then Piwigo is not the right system for you.

Offline

 

#19 2022-11-30 17:00:58

erAck
Only trying to help
2015-09-06
2059

Re: Pictures limited to "Admins and Family" visible with direct link

Use .htpasswd basic authentication to lock the entire Piwigo away.
https://httpd.apache.org/docs/2.4/howto … gitworking

Of course that still does not protect against "illegal shares of images" because anyone logged in can download or screenshot the image anyway.


Running Piwigo at https://erack.net/gallery/

Offline

 

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2024 · Contact