Pass protected gallery but URL path allows viewing Pass protected gallery but URL path allows viewing
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Pass protected gallery but URL path allows viewing

Started by designerx, April 09, 2009, 12:58:25 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

designerx

Hi all,

I have a password protected gallery, which was working great, until I realized that you can just enter the path of the file and view it without password protection.

I've tried several combination's of permissions, however, none seem to yield a password protected photo gallery AND protected photos via URL entry.

Situation:

I have a high profile client who needs their photos to remain highly confidential, but need a web space to view/share them among each other.
Their gallery is for logged in users ONLY...thus, the gallery is "protected".
BUT...
Some crafty person figures out the URL path to the files...
http://www.exampledomain.com/cpg1.4x/albums/examplefolder/IMG_0001.JPG
Based on a 777 permission, the files aren't actually secure, and fully viewable if the URL is leaked (and based on the photos, this is a very plausible situation)

How to I protect the gallery AND secure the files via URL?

I've looked through the forums, but unfortunately found no answers.  I've looked outside of the coppermine forum, and still found no answers.  I've looked through the coppermine docs and had no luck as well.  :(

Hope all is well any response is greatly appreciated!

Joachim Müller

Quote from: designerx on April 09, 2009, 12:58:25 AM
Some crafty person figures out the URL path to the files...
How?


Quote from: designerx on April 09, 2009, 12:58:25 AM
How to I protect the gallery AND secure the files via URL?
Using Coppermine: not at all. You'd need dynamic, on-the-fly file creation for a by-file protection to work properly. Coppermine doesn't have that feature because of resources consumption out of the box. There might be some modifications that will do what you're up to, but they can't be applied easily. If you're really concerned about malevolent users guessing the URL of images embedded into coppermine's output, you mustn't use coppermine and look for another gallery application.

designerx

Hey Joachim,

Thanks for the quick response.

Unfortunately, I do need to be concerned with malevolent users in this situation, however, I will continue to work on and search for answers to this.  I will repost if/when I am able to come up with a solution.  Until then, I will continue to use Coppermine for all other photo gallery ventures.

Thanks for an awesome contribution to the community.