Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Access to full-sized images using the path from "view source"  (Read 4277 times)

0 Members and 1 Guest are viewing this topic.

oleredeye

  • Coppermine newbie
  • Offline Offline
  • Posts: 3
Access to full-sized images using the path from "view source"
« on: November 29, 2010, 12:57:37 pm »

My sandpit gallery is http://www.helmsleyarchaeologicalandhistoricalsociety.org.uk/cpg15x/ running Coppermine 1.5.8 on a Windows server.

I have configured it so that public users can see a normal, watermarked image overlayed with a transparent gif.

Everybody can View Source so that the path to the image is apparent - for example, the html shows background="albums/userpics/10001/normal_Church_Street_1910.jpg"

So if I enter the URL http://www.helmsleyarchaeologicalandhistoricalsociety.org.uk/cpg15x/albums/userpics/10001/normal_Church_Street_1910.jpg  I see the normal, watermarked image without the transparent gif.

But if I edit out normal_ to give http://www.helmsleyarchaeologicalandhistoricalsociety.org.uk/cpg15x/albums/userpics/10001/Church_Street_1910.jpg  I see the full-sized, non-watermarked image which I am trying to protect and stop people stealing….

I want to keep the full-sized, non-watermarked images on the server for privileged users and the administrator.  Is there a workaround to this, please?

Feel free to delete this from the forum if you feel it exposes a security issue you would prefer not to make public....
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15760
Re: Access to full-sized images using the path from "view source"
« Reply #1 on: November 29, 2010, 04:39:18 pm »

That's no security issue and has been discussed lately.

Moving to permissions board.
Logged

oleredeye

  • Coppermine newbie
  • Offline Offline
  • Posts: 3
Re: Access to full-sized images using the path from "view source"
« Reply #2 on: November 30, 2010, 11:59:49 am »

Fine.  Now sorted with a .htaccess file in the appropriate place...

AuthUserFile /dev/null
AuthGroupFile /dev/null

RewriteEngine On

RewriteCond %{HTTP_REFERER} !^http://www.site.com.* [NC]
RewriteCond %{HTTP_REFERER} !^http://site.com.* [NC]

RewriteRule /* http://www.site.com/angryman.gif [R,L]

Thanks for pointing me in the right direction, André ...
Logged
Pages: [1]   Go Up
 

Page created in 0.015 seconds with 19 queries.