I found that there is no security checks on access to the cached images. I mean anyone can access images in the cache folder without get logged in Zenphoto even if those images are in password protected albums.
In fact when someone accesses to an image, he gets direct access to the cached image. So if you know the images names pattern you are able to access any cached images you want without any rights.
The cached images should be displayed by a PHP page that checks your rights before accessing it, and direct access to any images should be forbidden.
Did I miss something ?
Zenphoto
Comments
You have to protect the cache folder as well as the albums folder using a proper htaccess file (of course your server must support that) and set the right folder/file permissions if you want to prohibit direct access. See the troubleshooting. You will need to experiment a little what settings are the right for your server.
It is also a good idea to disable folder listing on the server so no one can access a folder directly. Maybe ask your host about that.
If a ban access to the cache folder, I can not see any images on my zenphoto instance anymore.
I already protected my folders from listing files. But this is not sufficient.
If don't want your password protected albums to appear on the site itself you have also to set them to unpublished (note if you are loggedin you will see them nevertheless). Info about this on the troubleshooting as well.
Lets see an example http://www.zenphoto.org/zenphoto/demo-gallery/P4100284.jpg.php
This page is on your demo site. if you look at the HTML source code of this page you can see that image is displayed like this :
<img src="/zenphoto/cache/demo-gallery/P4100284_595.jpg" alt="P4100284" height="446" width="595">
Which means that the browser can access directly to http://www.zenphoto.org/zenphoto/cache/demo-gallery/P4100284_595.jpg
And doing that their is no security checks on that access as Zenphoto is not involved anymore (that's the security problem !).
We shouldn't be able to access this file directly.
Again, the only way to disable direct iamge linking (called "hotlinking") is to use a proper .htaccess file and server permissions. If you link directly to an image Zenphoto is not even used and therefore bypassed. So the server needs to do that, as I already told
The only way to really protect images from any access on the web is not to put images on the web.
If someone knows the links to your images they will be able to see them no matter what you do. But of course, password protected images in password protected albums would not normally be disclosed, so the image names would have to be guessed.
Perhpas you are being too paranoid? Protect these images with things like watermarks. Nothing else will be effective on a useable site.
So to avoid this pitfall, it would be really great to display images by using a PHP page which will read image file in the cache directory and output it directly after verifying that you have rights to do so.
Instead of getting this in the pages:
<img src="/zenphoto/cache/demo-gallery/P4100284_595.jpg" alt="P4100284" height="446" width="595">
We would have this (for example):
<img src="/zenphoto/picture.php?img=demo-gallery/P4100284_595.jpg" alt="P4100284" height="446" width="595">
For example. Doing this, the cache directory can be protected from any access as only picture.php will access it through the filesystem (not HTTP). Thus albums and cache directories could even be outside the DocumentRoot of your site which will be a major security improvement.
Displaying pictures this way would definitely protect images from being stolen by by-passing Zenphoto security checks.
I hope you will understand what is in my mind.
Best regards.
If we cache albums when a user with the password views them, then they will be forever in the cache. so THE ONLY WAY that they do not end up in the cache is for them not to be cached.
So you ARE asking that images in protected albums not be cached.
I suggest you go back to school on how browser clients access the WEB, how PHP works and even how Zenphoto works. It might suprise you, but when an image is first uploaded, there is no cached copy of it. So when you first view it, a PHP script must provide it.
So, if you want a PHP script to provide the image it will have not to be cached. If it is not cached, a PHP script will indeed provide it.
But as said before, this is really a bad idea.
But you can always look for a different WEB gallery that does just what you suggest. There are ones that are not Filesystem based. Those are not Zenphoto, though.
I do NOT WANT private images not to be cached.
I'm just explaining that the fact that private cached images are accessible without passing by zenphoto security checks seems to me to be a confidentiality breach. If private images are directly accessible to anyone they are not private anymore.
Thus I'm sure you know this page (http://fr.php.net/manual/fr/function.readfile.php) better than me and I think this could solve the problem easily. By serving (not generating) ALL images (private or not) through a zenphoto PHP script doing ACL checks, no more direct access to images, which means confidentiality assured.
Sincerly.
Images are either cached or they are not. This is a binary state. (You can comprehend that there is no inbetween, can't you?) If cached then they exist in the cache folder--that is a tautology.
If images are in the cache folder then they can be viewed by anyone who can guess the URL. Anything that would prevent this would also prevent them from being viewed when you want them to. So, you CANNOT have the images you want to protect in the cache folder. Thus QED, you DO NOT want the protected album images cached.
If the images are cached already in the cache folder they are loaded by a PHP script by the name of i.php. Thus, if the protected album images are prevented from being placed in the cache folder they will get loaded by a PHP script--just what you said you wanted.
Anyway, if I had any inling of doing something like this your attitude certainl has banished it from my thoughts. Go somewhere else, Zenphoto is not for you.