[Invalid] Major Security Issue? - Relates To All Coppermine Versions [Invalid] Major Security Issue? - Relates To All Coppermine Versions
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

[Invalid] Major Security Issue? - Relates To All Coppermine Versions

Started by JUSTINTIME, February 22, 2012, 03:32:37 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

JUSTINTIME

This is what appears to be a major security issue regarding ALL versions of Coppermine Gallery, including the very latest version 1.5.18 - well it certainly is a major issue from my perspective.

I can go to any of your CPG galleries with "restricted, personal, valuable content", register an account which in most cases would give me access to that content, eg. full size pictures, copyrighted originals, images that are for sale, etc., and by right clicking on any full size image and selecting "Copy Image Location" from the drop down contextual menu I can now paste that URL on any blog, any website etc. or I can even post that URL to all my friends and ANYONE can now access those full size images WITHOUT even have to visit your CPG websites, much less loging in.

I bet I could clear out many of your CPG websites in just one day, I could even start up my own websites selling your full size supposedly "protected" content without even having to download anything at all and without ever visiting your CPG websites.

All I need to do is something like this - paste in any browser and increment the values - I'm sure I would get some very interesting results:

http://your-website/displayimage.php?album=2&pid=1#top_display_media
http://your-website/displayimage.php?album=2&pid=2#top_display_media
http://your-website/displayimage.php?album=2&pid=2#top_display_media
http://your-website/displayimage.php?album=3&pid=1#top_display_media
http://your-website/displayimage.php?album=3&pid=2#top_display_media
http://your-website/displayimage.php?album=3&pid=3#top_display_media

The same applies to all attempts to incorporate a shop into CPG... while one person might pay for access, he/she could simply post URL's to anyone and everyone who would then literally download for free, and this does apply to music and videos also.

Of course I am not interested in such activities which is why I am here warning about this, and the above, tested with Firefox V10.0.1, can be done both with and without cookies and probably with all browsers.

So in other words, limiting access to important content by User Groups defined in the User Configuration Settings just does not reaslly work except on a very superficial level.

Give it some thought people and bear in mind that what you might consider safe behind an account and password - ISN'T safe at all

Best Wishes To All

JUSTINTIME

Actually, just to add to my previous post I have done the following:

I typed into Google search "Powered By Coppermine" - this gives me an endless list of Coppermine galleries, and just by changing the domain name in the following url's I can access all the following content WITHOUT even ever having visited their web sites

Example:

http://bradley-cooper.org/gallery/displayimage.php?pid=6&fullsize=1
http://bradley-cooper.org/gallery/displayimage.php?pid=7&fullsize=1
http://bradley-cooper.org/gallery/displayimage.php?pid=8&fullsize=1

http://dibbz.net/gallery/displayimage.php?pid=70&fullsize=1
http://dibbz.net/gallery/displayimage.php?pid=80&fullsize=1
http://dibbz.net/gallery/displayimage.php?pid=100&fullsize=1

Not exactly rocket science, and these points have been mentioned before under "Leeching", however those links could be entire private gallery images, which in this example I choose not to display.

Perhaps you can see my point. A solution however I do not have at the moment, and certainly I would be annoyed if someone did that to my website or scraped it using software (as several sites are currently doing) all the way through to private albums.

Perhaps if this post is suggesting too many "ideas" it can be deleted by admin.

Regards

Joe Carver

Quote from: JUSTINTIME on February 22, 2012, 03:32:37 PM
This is what appears to be a major security issue regarding ALL versions of Coppermine Gallery,

No, there is no security issue. Your concerns might be valid, but your perspective is a bit off.

Quote from: JUSTINTIME on February 22, 2012, 03:32:37 PM
.... I can now paste that URL on any blog, any website etc. or I can even post that URL to all my friends and ANYONE can now access those full size images WITHOUT even have to visit your CPG websites, much less loging in.

No again, this is a server control issue, not a cpg issue. Please do a little searching next time.
See this thread if you want to protect your pictures.
http://forum.coppermine-gallery.net/index.php/topic,74292.msg358146.html#msg358146

But you must remember - if you allow people to see your pictures in their browser, you have given them a copy in their cache. They can then do as they please with it.

Quote from: JUSTINTIME on February 22, 2012, 03:32:37 PM
So in other words, limiting access to important content by User Groups defined in the User Configuration Settings just does not reaslly work except on a very superficial level.

Yes it would, if combined with the .htaccess settings suggested in the thread above.

The only real protections are to not put the pictures on the web or to embed watermarks.

[edit]
Quote from: JUSTINTIME on February 22, 2012, 04:34:19 PM
... I can access all the following content WITHOUT even ever having visited their web sites

Example:....displayimage.php?pid=6&fullsize=1

The settings in..
>> Config
>> User settings
>> Allow unlogged users (guest or anonymous) access

can prevent unlogged access to the full size pics.

Αndré

Marking thread as invalid, as displayimage.php won't return anything useful if you don't have the required permissions. As Joe already said, protecting the images on server-side level isn't Coppermine's task, but there are already some topics dealing with that topic.