The simpler media website CMS
Some folders of my site have images for public viewing, other folders are supposed to have restricted images, protected with a password controlled by the server.
The access to those restricted folders went like this:
The user clicks on a thumbnail from the listed images in a restricted folder. The thumbnails are visible, that's wanted. Next you see a preview of the wanted image (I set the size for this to 400 pixels height).
A click on that image calls a question for a username and password for that restricted folder. Given that you see the original image, some up to 8k in size.
So far so good, I thought, but a smart user informed me about a problem.
You can bypass the password by doing this:
Go back to the preview sized image of 400 pixels and hover the cursor over the image.
Right click and chose 'Copy Image Link'.
Paste the link to the URL field of your browser.
Look at the link, there you'll find the preview set size of '400'. Now change the '400' to '1080', give it a go and you'll get the image in original size, without giving a password. You even can increase the size of the image by choosing the wanted size instead of the '400'.
It seems that the application takes the image from the picture buffer for the preview and thumbnail, only the call for the original picture accesses the protected folder.
Obviously I have made a big (logical) error here, could you help me, do you have a solution for this?
Please and thank you.
Zenphoto version 1.6 (Official build)
Current gallery theme: Basic
Server software: LiteSpeed
PHP version: 8.1.13
Graphics support: PHP GD library 2.3.3
Database: MariaDB 10.3.37
Test file in folder: https://gagala.org/z/Test/