Securing a coppermine installation.... Securing a coppermine installation....
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Securing a coppermine installation....

Started by heinrich, June 10, 2014, 07:42:50 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

heinrich

This isn't really a question for the coppermine team, but for all apache2 specialists who might read this...

Coppermine has a user and password system, but nothing stops apache from answering any request to the /album/userpics/1000xxx/ directory, so basically one could simply brute force the server with requests in hopes of finding pictures without logging in. With educated guessing one could reduce the effort.

So, how would one set up a VirtualServer directive in apache2 to only allow requests by those users, who have a valid coppermine cookie?

Or, the other way round, how do I block access to all files in /albums/ to everyone who has not successfully logged in ?

Best regards,
Heinrich Krebs

phill104

Did you search the plugins contributions board for something that might help? Maybe this? - http://forum.coppermine-gallery.net/index.php/topic,74870.0.html
It is a mistake to think you can solve any major problems just with potatoes.

heinrich

I have not, for I wrongly assumed, nobody had ever had the need for such a thing.

Thanks, it seems the Plugin does what I want. Will try it within the next days...

heinrich

Okay, the plugin doesn't do what I want properly.
First, I can't use FTP without TLS so this part of the plugin failed, but I rewrote it to use the exec-Command to change the File-attributes directly, instead of using FTP to do so.

But, now the pictures aren't shown in the gallery either. That's not what I want. I would have to alter the plugin in a way, that it sets any file displayed in the gallery to "unsecure" but at the same time stores all files currently unsecured in a table, with a timestamp.

Then I might establish a scrip that secures all files again, run every second or so, possibly a cronjob.

Seems like an awful way to keep the server busy....

A apache directive that only clients are served who logged into coppermine would have be way more elegant...

phill104

Yep, sounds like a good way to achieve things. Currently there is no plugin to do it that way, maybe someone could come up with one.
It is a mistake to think you can solve any major problems just with potatoes.

heinrich

So, I keep thinking about this and started my own Plugin, based on the posts here.

I figured I wanted the browser of any client to ask for any picture not with path and filename, but with a specific ID, that can't be guessed or something.

I saw that the pictures table has a column MD5, but it seems empty. Why is that?
Although md5 isn't considered secure anymore, it is probably secure enough to grant every image in the database it's own unique hash...

Αndré

If you already query the database for that ID, it doesn't need to be secure and can simply be the picture ID which already exists (I assume you want to do something like "showpic.php?pid=123", which also already exist as mod or plugin somewhere in our board if I remember correctly). If the browser submit the ID to that script, it can check if the user has permission to view the picture in the first place.

At least one of our devs (gmc) uses a plugin to secure the pictures' file paths and names, but as far as I know it isn't publicly available (yet).

gmc

it is on my list to release... Have a little cleanup to do for it to work with all galleries...
Was my first plugin attempt... And learned a lot since :)

Configurable to mask or encrypt the filepath (you decide on acceptable overhead), and does not require http access to the albums folder (can use .htaccess to DENY FROM ALL)..
Only supports displaying image types supported by GD/Imagemajick - other formats pass through as they do today, and will require http access.

I currently have it bundled with dynamic watermarking (text) options, but was suggested to separate.

I am traveling for next week+.. But will take a look at it when I get home...
(One of a couple of plugins I need to release...)

You can take a look at gallery.gmcdesign.com to see what it looks like.. That uses the encryption method. View page source and let me know if you can figure out the full path to any of my photos... :)

Greg
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money

heinrich

Quote from: Αndré on June 27, 2014, 08:11:43 PMIf you already query the database for that ID, it doesn't need to be secure and can simply be the picture ID which already exists
The pid is guessable, that's why I didn't want tu use it, but you are right, if I check permissions in the script, that could be easier if the functions to do so are already in place...

Quote from: Αndré on June 27, 2014, 08:11:43 PM(I assume you want to do something like "showpic.php?pid=123", which also already exist as mod or plugin somewhere in our board if I remember correctly). If the browser submit the ID to that script, it can check if the user has permission to view the picture in the first place.
Yes, that is pretty much what I try to do...

Quote from: gmc on June 27, 2014, 11:43:20 PMit is on my list to release... Have a little cleanup to do for it to work with all galleries...
Was my first plugin attempt... And learned a lot since :)
I'd love to take a look at it... possibly it already does everything I want...

sindbad5

Encrypting the filepath is fine. That's exactly the plugin I'm wating for.

Tom

gmc

Thank you for 'bumping' this.. It fell off my radar.
I am traveling this week, but will get something ready to share next week.
Greg
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money

gmc

OK... it took me longer than a week... lol...
Take a look at the new Mask URL Plugin - which gives options to 'mask' or 'encrypt' the path to your pictures in the generated URLs.

http://forum.coppermine-gallery.net/index.php/topic,78168.msg378179.html#msg378179

Greg
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money