A Note on Gallery Security...

sb73542

Joined: 2003-11-02
Posts: 12

Posted: Tue, 2004-03-09 19:21

Hi, I'm using Gallery v1.4-pl2 on a business website. There are one or two albums with sensitive information for which I've removed public "ANYBODY" access. But I just now realized that this security is entirely circumvented if your web server's Apache has directory listings enabled. http://yourwebsite/albums/secure/ will bring up all the photos in a directory-tree format for any anonymous user if directory listings are enabled. This isn't a fault of Gallery, but rather of web hosts that refuse to disable directory listing. Their solution is to upload a blank index.html to all folders you want secured. This can be a hassle if you have a lot of secured directories-- does anyone have any better ideas? Thanks a lot for the help!

apirkle

Joined: 2004-03-09
Posts: 2

Posted: Tue, 2004-03-09 20:05

If your apache server is set up with the "AllowOverride AuthConfig" or "AllowOverride All" directives in the config file, you can use .htaccess files to control access. You would create a file called .htaccess that looks like this:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /path/to/.htpasswd
Require valid-user

Then you would create a .htpasswd file with user passwords using the 'htpasswd' command (see the man page for htpasswd).

apirkle

Joined: 2004-03-09
Posts: 2

Posted: Tue, 2004-03-09 20:10

Check out this thread for more htaccess-fu: http://gallery.menalto.com/index.php?name=PNphpBB2&file=viewtopic&t=8160

alindeman

Joined: 2002-10-06
Posts: 8194

Posted: Tue, 2004-03-09 21:48

There's also a "Securing Gallery" section the manual, but we do acknowledge this to be a major shortcoming in G1. G2 will fix this issue..

sb73542

Joined: 2003-11-02
Posts: 12

Posted: Thu, 2004-03-11 03:26

Thanks for all your help! I'm really glad to hear that this is a recognized issue, and being taken care of. Meanwhile I'll see if the .htaccess trick works.

Here's another solution if your webserver supports password protected directories. Create an album. Upload a picture to it that says "Secured, email me for password" and highlight the picture. Then inside that album, create a nested album containing all the classified pictures. Password protect the nested album using unix permissions. The reason I do it with a main album containing a "Protected" banner and a nested sub-album is that the authentication dialogue will appear as it tries to load the thumbnail highlight picture for the album, and this is undesirable when browsing the public area. This way, the banner appears in the public area, and then the authentication dialogue appears when you attempt to enter that album. Just my $0.02!

sb73542 Joined: 2003-11-02 Posts: 12	Posted: Tue, 2004-03-09 19:21
	Hi, I'm using Gallery v1.4-pl2 on a business website. There are one or two albums with sensitive information for which I've removed public "ANYBODY" access. But I just now realized that this security is entirely circumvented if your web server's Apache has directory listings enabled. http://yourwebsite/albums/secure/ will bring up all the photos in a directory-tree format for any anonymous user if directory listings are enabled. This isn't a fault of Gallery, but rather of web hosts that refuse to disable directory listing. Their solution is to upload a blank index.html to all folders you want secured. This can be a hassle if you have a lot of secured directories-- does anyone have any better ideas? Thanks a lot for the help!
	XUser login Login/Register
apirkle Joined: 2004-03-09 Posts: 2	Posted: Tue, 2004-03-09 20:05
	If your apache server is set up with the "AllowOverride AuthConfig" or "AllowOverride All" directives in the config file, you can use .htaccess files to control access. You would create a file called .htaccess that looks like this: AuthType Basic AuthName "Restricted Area" AuthUserFile /path/to/.htpasswd Require valid-user Then you would create a .htpasswd file with user passwords using the 'htpasswd' command (see the man page for htpasswd).

apirkle Joined: 2004-03-09 Posts: 2	Posted: Tue, 2004-03-09 20:10
	Check out this thread for more htaccess-fu: http://gallery.menalto.com/index.php?name=PNphpBB2&file=viewtopic&t=8160

alindeman Joined: 2002-10-06 Posts: 8194	Posted: Tue, 2004-03-09 21:48
	There's also a "Securing Gallery" section the manual, but we do acknowledge this to be a major shortcoming in G1. G2 will fix this issue..

sb73542 Joined: 2003-11-02 Posts: 12	Posted: Thu, 2004-03-11 03:26
	Thanks for all your help! I'm really glad to hear that this is a recognized issue, and being taken care of. Meanwhile I'll see if the .htaccess trick works. Here's another solution if your webserver supports password protected directories. Create an album. Upload a picture to it that says "Secured, email me for password" and highlight the picture. Then inside that album, create a nested album containing all the classified pictures. Password protect the nested album using unix permissions. The reason I do it with a main album containing a "Protected" banner and a nested sub-album is that the authentication dialogue will appear as it tries to load the thumbnail highlight picture for the album, and this is undesirable when browsing the public area. This way, the banner appears in the public area, and then the authentication dialogue appears when you attempt to enter that album. Just my $0.02!

A Note on Gallery Security...

XUser login