Securing a coppermine installation....

heinrich · June 10, 2014, 07:42:50 PM

This isn't really a question for the coppermine team, but for all apache2 specialists who might read this...

Coppermine has a user and password system, but nothing stops apache from answering any request to the /album/userpics/1000xxx/ directory, so basically one could simply brute force the server with requests in hopes of finding pictures without logging in. With educated guessing one could reduce the effort.

So, how would one set up a VirtualServer directive in apache2 to only allow requests by those users, who have a valid coppermine cookie?

Or, the other way round, how do I block access to all files in /albums/ to everyone who has not successfully logged in ?

Best regards,
Heinrich Krebs

phill104 · June 10, 2014, 07:51:05 PM

Did you search the plugins contributions board for something that might help? Maybe this? - http://forum.coppermine-gallery.net/index.php/topic,74870.0.html

heinrich · June 10, 2014, 08:14:54 PM

I have not, for I wrongly assumed, nobody had ever had the need for such a thing.

Thanks, it seems the Plugin does what I want. Will try it within the next days...

heinrich · June 11, 2014, 04:34:10 PM

Okay, the plugin doesn't do what I want properly.
First, I can't use FTP without TLS so this part of the plugin failed, but I rewrote it to use the exec-Command to change the File-attributes directly, instead of using FTP to do so.

But, now the pictures aren't shown in the gallery either. That's not what I want. I would have to alter the plugin in a way, that it sets any file displayed in the gallery to "unsecure" but at the same time stores all files currently unsecured in a table, with a timestamp.

Then I might establish a scrip that secures all files again, run every second or so, possibly a cronjob.

Seems like an awful way to keep the server busy....

A apache directive that only clients are served who logged into coppermine would have be way more elegant...

phill104 · June 11, 2014, 06:26:09 PM

Yep, sounds like a good way to achieve things. Currently there is no plugin to do it that way, maybe someone could come up with one.

heinrich · June 27, 2014, 03:30:48 PM

So, I keep thinking about this and started my own Plugin, based on the posts here.

I figured I wanted the browser of any client to ask for any picture not with path and filename, but with a specific ID, that can't be guessed or something.

I saw that the pictures table has a column MD5, but it seems empty. Why is that?
Although md5 isn't considered secure anymore, it is probably secure enough to grant every image in the database it's own unique hash...

Αndré · June 27, 2014, 08:11:43 PM

If you already query the database for that ID, it doesn't need to be secure and can simply be the picture ID which already exists (I assume you want to do something like "showpic.php?pid=123", which also already exist as mod or plugin somewhere in our board if I remember correctly). If the browser submit the ID to that script, it can check if the user has permission to view the picture in the first place.

At least one of our devs (gmc) uses a plugin to secure the pictures' file paths and names, but as far as I know it isn't publicly available (yet).

gmc · June 27, 2014, 11:43:20 PM

it is on my list to release... Have a little cleanup to do for it to work with all galleries...
Was my first plugin attempt... And learned a lot since

Configurable to mask or encrypt the filepath (you decide on acceptable overhead), and does not require http access to the albums folder (can use .htaccess to DENY FROM ALL)..
Only supports displaying image types supported by GD/Imagemajick - other formats pass through as they do today, and will require http access.

I currently have it bundled with dynamic watermarking (text) options, but was suggested to separate.

I am traveling for next week+.. But will take a look at it when I get home...
(One of a couple of plugins I need to release...)

You can take a look at gallery.gmcdesign.com to see what it looks like.. That uses the encryption method. View page source and let me know if you can figure out the full path to any of my photos...

Greg

heinrich · June 30, 2014, 01:01:03 PM

Quote from: Αndré on June 27, 2014, 08:11:43 PMIf you already query the database for that ID, it doesn't need to be secure and can simply be the picture ID which already exists

The pid is guessable, that's why I didn't want tu use it, but you are right, if I check permissions in the script, that could be easier if the functions to do so are already in place...

Quote from: Αndré on June 27, 2014, 08:11:43 PM(I assume you want to do something like "showpic.php?pid=123", which also already exist as mod or plugin somewhere in our board if I remember correctly). If the browser submit the ID to that script, it can check if the user has permission to view the picture in the first place.

Yes, that is pretty much what I try to do...

Quote from: gmc on June 27, 2014, 11:43:20 PMit is on my list to release... Have a little cleanup to do for it to work with all galleries...
Was my first plugin attempt... And learned a lot since

I'd love to take a look at it... possibly it already does everything I want...

sindbad5 · September 12, 2014, 07:59:29 AM

Encrypting the filepath is fine. That's exactly the plugin I'm wating for.

Tom

gmc · September 15, 2014, 06:50:38 PM

Thank you for 'bumping' this.. It fell off my radar.
I am traveling this week, but will get something ready to share next week.
Greg

gmc · April 19, 2015, 06:38:54 AM

OK... it took me longer than a week... lol...
Take a look at the new Mask URL Plugin - which gives options to 'mask' or 'encrypt' the path to your pictures in the generated URLs.

http://forum.coppermine-gallery.net/index.php/topic,78168.msg378179.html#msg378179

Greg

coppermine-gallery.com/forum

News:

Securing a coppermine installation....

heinrich

phill104

heinrich

heinrich

phill104

heinrich

Αndré

gmc

heinrich

sindbad5

gmc

gmc