SECURITY: Full size images and movies available directly via URL SECURITY: Full size images and movies available directly via URL
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

SECURITY: Full size images and movies available directly via URL

Started by jslegare, September 06, 2007, 06:11:13 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

jslegare

If you have sufficient permissions to look at an image or movie in an album, you can grab the URL for the full-sized image/movie in the page source.
That full-sized image can then be obtained directly by inserting the URL in the browser and the webserver will happily serve the document.

Knowing that pictures usually come with a serial number IMG_212.JPG, you can easily try other close numbers and you are likely to get other content, even when you wouldn't necessarily have permissions to get them.

Instead of giving the URL directly in the page source, wouldn't it be more secure to put a URL like <img src="getimg.pgh?id=albums/blahblah/blahblah/IMG_2000.JPG" /> and verify the permissions from getimg.php script. Then, you could just disable serving certain files in the webserver with directives:

<FilesMatch "\.(gif|jpg)">
        [limiting directives will go here]
</FilesMatch>

Joachim Müller

That is well known and not a matter of security. Loading the image dynamically as you propose would cause an enourmous load on the server that would bring down busy galleries pretty soon, so it's not an option.