Issue: FILE URL CAN BE GUESSED!
All original uploaded files and cached images to be be easily guessed from the URL in an public album.
(obscured or not, as the obscured cache option only adds some hash to the URL and does not fully cloak the filename)
I would really like to use the gallery for my portfolio but the big thing is that the original files are not very secure.
williamz already posted on this but in relation to the cache image filename in
http://www.zenphoto.org/support/topic.php?id=2841but i don't think this is the right way to protect the original uploads.
So what to do?
What I'd like to achieve is NOT to cloak the image part in the URLs but to add a md5() or whatever unique part to the image itself that can't be guessed by humans, eg:
URL: localhost/Album-Name-1/IMG_0001.jpg
FILENAME: IMG_0001-zgafsuha7fz2938zt92ghwuhef79uZfgzuas34gfhUZFGASZUFG.jpg
TITLE(already auto-processed): IMG 0001
...
By that one would need to store the URL Filename and a obscure REAL filesystem filename in the db for every image.
Same goes for the cached images, but the focus is on the original fullsize uploads here.
Zenphoto uses scripted protection to limit access to URLs - but this is not effective against scripted hacks that rip off all my full sized images in one night based on direct file access and guessing filenames.
Currently the only thing one must know to write a downloader (even for a unpublished and password protected album) is the albumname and guess standard filenames... eg: IMG_0001, PIC__...
I think this is a very effective and important feature on file security and should at least limit the use of easy hacks.
Can anybody with the core knowledge help here?
Zenphoto
Comments
First, you can rename the main "albums" folder to something different via the config file in `/zp-data`. Also there you can define its location to be outside the webroot so it cannot be accessed directly. This has some drawbacks as noted there.
Second, you can additionally obsure the cache file names (Options > Security). You will need to clear the cache to see the effect. But you know that already.
Additionally I would recommend to add a htaccess file to protect against hotlinking. Also your theme used should not refer to the full image anywhere because what is loaded by the browser can be copied.
IF:
The filesystem "/albumsXXXX/" path isn't revealed in the frontend source code anywhere, either image caching for preview images is enabled or not?
EDIT:
Is it revealed when "Download" image protection is chosen and somebody downloads the image or would someone need to packet sniff the request to know the source?
>>Zenphoto is file system based and therefore the url mirrors the structure.
So the only real way to deny public access to the images would be a .htaccess deny directive for all album folders?
Hotlinking is not the problem and should be allowed if somebody has a link that can't be guessed by simple logic to guess other files in the album.
Thanks for your quick reply!
1. changed the main album repository (default: /albums)
2. changed the folder privilege to 0744
In the ZenPhoto environment full images can now (HOPEFULLY!?) only be read through full-image.php (My full image protection option is set to Download)
The downside: full images can't be hotlinked.
Any ideas if there's a other simple solution? (maybe .htaccess user auth for external requests that doesn't require local scripts like full-image.php to authenticate?)