SECURITY: Full size images and movies available directly via URL SECURITY: Full size images and movies available directly via URL
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

SECURITY: Full size images and movies available directly via URL

Started by jslegare, September 06, 2007, 06:11:13 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

jslegare

September 06, 2007, 06:11:13 AM
If you have sufficient permissions to look at an image or movie in an album, you can grab the URL for the full-sized image/movie in the page source.
That full-sized image can then be obtained directly by inserting the URL in the browser and the webserver will happily serve the document.

Knowing that pictures usually come with a serial number IMG_212.JPG, you can easily try other close numbers and you are likely to get other content, even when you wouldn't necessarily have permissions to get them.

Instead of giving the URL directly in the page source, wouldn't it be more secure to put a URL like <img src="getimg.pgh?id=albums/blahblah/blahblah/IMG_2000.JPG" /> and verify the permissions from getimg.php script. Then, you could just disable serving certain files in the webserver with directives:

<FilesMatch "\.(gif|jpg)">
        [limiting directives will go here]
</FilesMatch>

Joachim Müller

#1
September 06, 2007, 07:36:37 AM
That is well known and not a matter of security. Loading the image dynamically as you propose would cause an enourmous load on the server that would bring down busy galleries pretty soon, so it's not an option.
Print
Go Up Pages1
User actions