Home General support

downloadList can download without being logged in

Wobler Member
in General support
I have installed the latest release of zenphoto and activated the extension downloadList. My Albums are private.

I can download a woile album as zip file with such a link without logging in:
http://192.168.1.128/zenphoto/index.php?album=Kiev&download=Kiev&albumzip=true

That means anyone can download all photos if he knows the album title.

And I can access all images in the cache directory. Why is it necessary to have the cache directory in the web path?
--
In my opinion zenphoto has a broken security design.

Joerg

Comments

  • acrylian Administrator, Developer
    Zenphoto has no direct concept of "private" albums. If you mean with "private" that they are just unpublished, it is by design (and always was) that anyone who knows the link can access it.
    Please see the rules of visibility and protection here:
    http://www.zenphoto.org/news/an-overview-of-zenphoto-users#rules-of-protection-andvisibility-for-zenphoto-obj

    Additionally you can set a download password on the downloadList plugin. If you set an album password you also cannot download.

    The cache directory does not contain the full images you upload as you probably know. Also the download album zip does not use the cache ones. You can protect direct access via htaccess (like hotlinking and similar).

    The /albums folder itself can very well be outside of the root and also be renamed (multimedia files will not work if the browser trying to use them still requires Flash). That can be configured on the /zp-data/zenphoto.cfg.php file.
  • Wobler Member
    With private album I mean the following: I have to log in with user and password to have access to the files. If zenphoto gives me a login page, I assume that only, and only if I log in I have access to files. If I can get around this I would not recommend anyone to use it.

    It should be not so difficult to check via coockies if a user is logged in and does have access rights to files before sending them.

    If you have the opinion that when "I know the link then I have access rights" then it is just an unsecure application. Bad luck for those that think their family photos are save just because the app has a user management. I don't know if everyone using it is aware that someone could steal their photos.
    So you should at least clarify that the user management is not to secure the access.

    For me that is a k.o. criteria. Maybe you should rethink the design.
  • sbillard Member
    Perhaps you can add some more details. I have checked the download and find it working correctly. I used a link similar to the one you posted both on a "private" gallery and on a "public" gallery where the album in question had a password attached. In both cases the result was a logon screen, not a downloaded zip file.

    I don't wish to sound confrontational, but you should tell us the actual version number of the Zenphoto you are running. All too often we find that "the latest version" means perhaps the version the WEB host provides, or one that was download from some download site and is quite different from the current released version.

    It is unclear from your post whether the album is password protected or the site is private. Also how do you know that you are not logged in?

    Are you sure that Zenphoto is serving the zip file and that it has not been cached by your server/browser and being served from there? The link you show is a localhost variant, so I presume your are doing testing and may have downloaded the zip when you were logged in.
  • acrylian Administrator, Developer
    @wobler:
    If you have the opinion that when "I know the link then I have access rights" then it is just an unsecure application.
    You surey read the link I posted above. This is for unpublished albums which I was referring to.

    Also you need to understand that Zenphoto itself can only control script page access, not direct filesystem operations. It is not involved in those if you put in a direct link. That needs to be done server side then. That is noted on the link above.

    If you wish your site to be completely secure and hidden from the public because being really private, the most secure thing is to protect the whole directory ZP is installed in via a htaccess password. Your host probably provides something for that. I have added info for that to the link above.
  • Wobler Member
    @sbillard

    My Configuration:
    Debian in a vmware, Host XP
    In the Vmware Debian is zenphoto installed. I downloaded it from the zenphoto web site:

    zenphoto-zenphoto-1.4.6

    security
    Cookie security enabled

    gallery
    Gallery type private

    image
    Secure image processor enabled

    Full image protection: Protected View
    Disabling hotlinking: enabled

    downloadList
    User rights enabled

    Album: published
    Owner: Admin

    Started Browser Chrome. I logged in as admin, uploaded an image to a new album called test2.

    I started a different browser, IE. Deleted cache, coockies, everything. Exit IE. Start IE.
    http://192.168.61.128/zenphoto
    gives me the login page, but

    http://192.168.61.128/zenphoto/index.php?download=Test2&albumzip=true

    And Voila zenphoto sends the album as zip file, verified.
  • acrylian Administrator, Developer
    I can reproduce that indeed. That's not right. It is correctly blocked if the site is not set to private but the album has a password set. Thanks, we will look into this.
Sign In or Register to comment.