Zenphoto bypasses password for images

Some folders of my site have images for public viewing, other folders are supposed to have restricted images, protected with a password controlled by the server.

The access to those restricted folders went like this:
The user clicks on a thumbnail from the listed images in a restricted folder. The thumbnails are visible, that's wanted. Next you see a preview of the wanted image (I set the size for this to 400 pixels height).
A click on that image calls a question for a username and password for that restricted folder. Given that you see the original image, some up to 8k in size.
So far so good, I thought, but a smart user informed me about a problem.

You can bypass the password by doing this:
Go back to the preview sized image of 400 pixels and hover the cursor over the image.
Right click and chose 'Copy Image Link'.
Paste the link to the URL field of your browser.
Look at the link, there you'll find the preview set size of '400'. Now change the '400' to '1080', give it a go and you'll get the image in original size, without giving a password. You even can increase the size of the image by choosing the wanted size instead of the '400'.

It seems that the application takes the image from the picture buffer for the preview and thumbnail, only the call for the original picture accesses the protected folder.

Obviously I have made a big (logical) error here, could you help me, do you have a solution for this?

Please and thank you.

Zenphoto version 1.6 (Official build)
Current gallery theme: Basic
Server software: LiteSpeed
PHP version: 8.1.13
Graphics support: PHP GD library 2.3.3
Database: MariaDB 10.3.37

Test file in folder: https://gagala.org/z/Test/
User: Test
PW: )}Op@uLmiUxq


  • acrylian Administrator, Developer

    Yes, indeed those URLs triggers the image processor. It still gets you a resized image that may be compressed and not the actual original image.

    Try setting these:

    • Options > Image > Protect image cache
    • Options > Image > Secure image processor

    We will review if the image processor if we can perhaps improve this.

    Note that if someone finds out the url to the actual full image that will also work since Zenphoto as a script cannot protect direct access. Here you should work with an renamed and external albums folder outside the web root (Please see the config file for info).

  • fretzl Administrator, Developer
    edited February 3

    You can also limit the maximum image size in Options -> Image ->Maximum image size
    That way the image will never exceed a certain size even if the password form is bypassed.
    In the meantime we're working into this.

  • Options > Image > Protect image cache: Doesn't show thumbnails anymore.

    Options > Image > Secure image processor: Works great!

    Thanks a bunch!

  • OOPS! Correction!

    When I switch on 'Secure image processor', the automatic load of a thumbnail or preview for new files, or if I have have purged the image cache, does not work.
    I have to switch off 'Secure image processor', click on each single image to get the preview and switch it on again when all is done.

    I hope you'll find a solution for this soon.

Sign In or Register to comment.