Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Solution for preventing direct access to album images  (Read 20247 times)

0 Members and 1 Guest are viewing this topic.

saivert

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Solution for preventing direct access to album images
« on: April 16, 2008, 01:49:16 am »

PREFACE: cpg can be set up to allow only registered users access to the site, but does not protect the actual image files itself.
This is a mod to cpg that will require you to be logged in to get access to the image files in the albums folder.
This guide assumes that you are using Coppermine version 1.4.16


First we have to lock down the albums folder by making a new .htaccess with the following two lines:
Code: [Select]
Order Allow,Deny
Deny from All

Then you modify functions.inc.php and change the get_pic_url return statement into this (line 2015 in revision 4233):
Code: [Select]
return "getimage.php?file=".base64_encode($pic_row['url']);

Then create a new PHP script called getimage.php in the cpg root with this content:
Code: [Select]
<?php
/* getimage.php - Restrict access to images to logged in users only
for Coppermine image gallery
Written by Saivert */

define('IN_COPPERMINE'true);
define('GETIMAGE_PHP'true);

require(
'include/init.inc.php');

if (!
USER_ID && $CONFIG['allow_unlogged_access'] == 0) {
header('Content-type: image/png');
readfile('images/no_access.png');
    exit();
}

if (isset(
$_GET['file'])) {
$path base64_decode($_GET['file']);
if (preg_match('/\.(.+)$/',$path,$m)) {
switch ($m[1]) {
case 'jpg'$mt 'image/jpeg'; break;
case 'png'$mt 'image/png'; break;
case 'gif'$mt 'image/gif'; break;
}
} else {
$mt 'image/jpeg'// we fallback to JPEG. should work most of the time.
}

header('Content-type: ' $mt);
readfile($path);

} else die(
'missing filename');


?>


(Note please ensure the regular expression above is correct. It's supposed to grab the file extension. I quickly did a test and it seemed like it was working. But you never know..)

You will have to create a image that will be shown to users who has not logged in yet or grab this one: [Edit GauGau ] Replaced hotlinked image with attachment [/Edit]
Anyways it has to be named no_access.png and reside in the images subfolder of your cpg root.


That's it, nobody will be able to access images without logging in.
« Last Edit: April 16, 2008, 07:32:44 am by Joachim Müller »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Solution for preventing direct access to album images
« Reply #1 on: April 16, 2008, 07:34:03 am »

Thanks for your contribution. Let me post a warning with this mod: using this mod will burn a great amount of resources on your server, so only use it if you have the server-sided power to do so.
Logged

Timos-Welt

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 808
    • Timos-Welt
Re: Solution for preventing direct access to album images
« Reply #2 on: April 16, 2008, 09:35:18 am »

Beautiful - just do a

http://yourgallery.com/cpg/getimage.php?file=include/config.inc.php

and have fun with admin username and password. Saves a lot of time - no need to hack anything anymore. ::)
Logged

saivert

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Fix for exploit
« Reply #3 on: April 16, 2008, 10:05:07 am »

Timos-Welt: You are right, altought you would need to base64 encode the path first..
include/config.inc.php --> aW5jbHVkZS9jb25maWcuaW5jLnBocA==
but that is not hard to do either

Here is an updated getimage.php script that fixes this exploit:

Code: [Select]
<?php
/* getimage.php - Restrict access to images to logged in users only
for Coppermine image gallery
Written by Saivert */

define('IN_COPPERMINE'true);
define('GETIMAGE_PHP'true);

require(
'include/init.inc.php');

if (!
USER_ID && $CONFIG['allow_unlogged_access'] == 0) {
header('Content-type: image/png');
readfile('images/no_access.png');
    exit();
}

if (isset(
$_GET['file'])) {
$path base64_decode($_GET['file']);
if ($isimg=preg_match('/\.(.+)$/',$path,$m)) {
switch ($m[1]) {
case 'jpg'$mt 'image/jpeg'; break;
case 'png'$mt 'image/png'; break;
case 'gif'$mt 'image/gif'; break;
}
} else {
$mt 'image/jpeg'// we fallback to JPEG. should work most of the time.
}

if (preg_match('#$albums/#',$path) and $isimg) {
header('Content-type: ' $mt);
readfile($path);
} else die('not an album');

} else die(
'missing filename');


?>


Sorry for that.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Solution for preventing direct access to album images
« Reply #4 on: April 16, 2008, 10:12:25 am »

You need to explicitely sanitize user input...
Logged

primera

  • Coppermine newbie
  • Offline Offline
  • Posts: 3
Re: Solution for preventing direct access to album images
« Reply #5 on: November 25, 2008, 04:43:37 am »

Then you modify functions.inc.php and change the get_pic_url return statement into this (line 2015 in revision 4233):

change this one :        return $pic_row['url'];


i don't know which return statement is ....could you tell me more detial? thx ~
Logged

ch33p0x

  • Coppermine newbie
  • Offline Offline
  • Posts: 11
Re: Solution for preventing direct access to album images
« Reply #6 on: May 13, 2009, 08:06:30 pm »

this s*** won't work!!!!


[Edited: I placed the asterisk above  - Fabricio]
« Last Edit: May 13, 2009, 08:23:35 pm by Fabricio Ferrero »
Logged

Fabricio Ferrero

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 1996
  • From San Juan, Argentina, to the World!
    • http://fabricioferrero.com/
Re: Solution for preventing direct access to album images
« Reply #7 on: May 13, 2009, 08:22:05 pm »

It works for others.. So, there is no reason to insult people.

If you use that word again, I'll ban you forever. OK?


Good Luck,
Logged
Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)

ch33p0x

  • Coppermine newbie
  • Offline Offline
  • Posts: 11
Re: Solution for preventing direct access to album images
« Reply #8 on: May 13, 2009, 08:37:37 pm »

but dude, i been trying and trying for many days now..
first i found out i had 4.1.22. so i downgraded to 4.1.16 (wich this is for)
i was with saivert when he made this, so i know it worked. now many months later ill start a site for my own. Now he won't answer me, or help me.
im so sick of trying and failing. i dont know what im doing wrong here. he should giving feedback since its his script!
Logged

Fabricio Ferrero

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 1996
  • From San Juan, Argentina, to the World!
    • http://fabricioferrero.com/
Re: Solution for preventing direct access to album images
« Reply #9 on: May 13, 2009, 08:49:41 pm »

I'm not your dude, I don't even know you.

Then, no, the MOD are offered "as is" you have to deal with it if you want to use it. Some of the contributors offers support, but there is no obligation on do it.

Now he won't answer me, or help me.
I see this very hard, since he last visited the Forum on April 20, 2008, 06:12:41 PM.

Anyways, the only thing I remarked is your attitude. Do you think he is going to support you if you use those kind of words? I think not.

End of discussion please!
Logged
Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)
Pages: [1]   Go Up
 

Page created in 0.024 seconds with 19 queries.