1.x gallery data directory security issue and fix
|
harlock
Joined: 2002-11-14
Posts: 5 |
Posted: Tue, 2002-11-19 07:25
|
|
This has probably occured to someone before, but just in case it hasn't I thought I'd mention it. It surprised me by it's obviousness and lack of a default file creatd on install that would fix this. anyone looking at the image URLs can figure out where your gallery data directory is and go in there and list the contents, which include hidden/private albums and all their pictures, and hires versions you may not want to make available if you're using the scale option. An easy fix for me was just to go in to the root gallery data directory and 'touch index.html', preventing HTTP directory listing, if it's enabled on your server. It doesn't seem to affect gallery's normal operations. FTP-only users can just FTP a blank text file called index.html, or put a nasty note, or a redirect in it. :smile: Just a thought as I was checking security on one of my galleries that does have private albums on it. And I do see that this will be addressed in 2.0. (from the feature list: Image Firewall - --Mike |
|
Posts: 3474
You can also add "Options -Indexes" to a file called ".htaccess" in that directory to prevent listing the contents.
But that won't prevent the images from being downloaded if you know the URL. In Gallery 2, the images will only be available through Gallery itself, a true "image firewall".