security tips

Rowald

Joined: 2005-06-05
Posts: 27

Posted: Sun, 2005-06-05 06:43

In a shared server environemt or as a result of an intrusion one cannot prevent that someone droppes a file into your album directory.

A little help is to prevent access to those files. You can do this if you can use .htaccess files and mod_rewrite is installed.

Add this to your .htaccess file:

RewriteEngine on
RewriteRule ^albums/.*\.(jpg|jpeg|gif)$  - [L,NC]
RewriteRule ^albums(.*)  - [F,NC]

This will cause an access to fail for other then those listed extensions.

You can enhance this with reporting:

RewriteEngine on
RewriteRule ^albums/.*\.(jpg|jpeg|gif)$  - [L,NC]
RewriteRule ^albums(.*)  /report.php [R,NC]

This will give some false alerts as Nimbda is still around and will trigger this.

You can prevent this at perfomance cost:

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^albums/.*\.(jpg|jpeg|gif)$  - [L,NC]
RewriteRule ^albums(.*)  /report.php [R,NC]

Yo shit, I know how to get around this, but some will step into this.

Oki why not moving albums out of the document root? I did this long ago, but didn't realize how easy it is to use with Gallery.

Save this code into a file e.g. galimg.php:

<?
function acceptableImageList() {
    return array('jpg', 'jpeg', 'gif', 'png');
}

function isImage($tag) {
    $tag = strtolower($tag);
    return in_array($tag, acceptableImageList());
}


  // album directory

  $gd =     '/home/USER/albums';

  // a banner

  $banner = '/home/USER/www/banner.jpg';


  $qs = substr($_SERVER['QUERY_STRING'],0,255);

  $fs = urldecode($qs);
  $qs = ereg_replace('[\:\*\?"<>\|;]', '_', $fs);


  $ext = substr(strrchr($qs, "."), 1);


  $fullPath = $gd . $qs;
  if( ($qs != $fs)  || (!isImage($ext)) || (!file_exists($fullPath)) ) {
    $fullPath = $banner;
  }

  @readfile($fullPath);

?>

Now change in your gallery config.php file:

$gallery->app->albumDir = "/home/USER/albums";
$gallery->app->albumDirURL = "http://www.modelgraphy.com/galimg.php?";
$gallery->app->userDir = "/home/USER/albums/.users";

Replace USER and that domain accordingly and make sure albums is not in your document root.

I prefere another method:
config.php:

$gallery->app->albumDir = "/home/USER/albums";
$gallery->app->albumDirURL = "http://www.modelgraphy.com/albums";
$gallery->app->userDir = "/home/USER/albums/.users";

.htaccess:

RewriteEngine on
RewriteRule    ^albums(.*)   /galimg.php?$1

This disguises the script file and allows easier switching (some banners for hot linkers :D )

So now don't forget to move your albums diretory into the proper location :P

Some words to the script. It makes some security checks and allows only those 4 image file types to be send :D If something else is requested, the banner is sent.

Have fun with this
Rowald

This works perfectly for [url]www.modelgraphy.com[/url]

h0bbel

Joined: 2002-07-28
Posts: 13451

Posted: Sun, 2005-06-05 06:49

Thanks. Would you mind adding it as a user contributed note to the docs @ http://gallery.sf.net/docs.php ?

Rowald

Joined: 2005-06-05
Posts: 27

Posted: Sun, 2005-06-05 07:06

not done editing yet ;-)

h0bbel

Joined: 2002-07-28
Posts: 13451

Posted: Sun, 2005-06-05 07:16

Rowald, great! I'll make sure that this makes it into the new and improved (tm) docs.

Rowald

Joined: 2005-06-05
Posts: 27

Posted: Sun, 2005-06-05 07:29

Hey h0bbel,

Thanks and I hope this helps others and doesn't come too late.

I had some connection issues, that's why it took long to post this, but now its up and its intended to help others, so please feel free to repost.

Well and I will be happy to hear improvement tips. Too many things to take into account when it is about security.

Rowald

Joined: 2005-06-05
Posts: 27

Posted: Mon, 2005-06-06 19:42

Sorry,

I've deleted $qs = strip_tags($qs,''); from the php code above. Its not needed and its faster without.

Rowald

Rowald Joined: 2005-06-05 Posts: 27	Posted: Sun, 2005-06-05 06:43
	In a shared server environemt or as a result of an intrusion one cannot prevent that someone droppes a file into your album directory. A little help is to prevent access to those files. You can do this if you can use .htaccess files and mod_rewrite is installed. Add this to your .htaccess file: RewriteEngine on RewriteRule ^albums/.\.(jpg\|jpeg\|gif)$ - [L,NC] RewriteRule ^albums(.) - [F,NC] This will cause an access to fail for other then those listed extensions. You can enhance this with reporting: RewriteEngine on RewriteRule ^albums/.\.(jpg\|jpeg\|gif)$ - [L,NC] RewriteRule ^albums(.) /report.php [R,NC] This will give some false alerts as Nimbda is still around and will trigger this. You can prevent this at perfomance cost: RewriteEngine on RewriteCond %{REQUEST_FILENAME} -f RewriteRule ^albums/.\.(jpg\|jpeg\|gif)$ - [L,NC] RewriteRule ^albums(.) /report.php [R,NC] Yo shit, I know how to get around this, but some will step into this. Oki why not moving albums out of the document root? I did this long ago, but didn't realize how easy it is to use with Gallery. Save this code into a file e.g. galimg.php: <? function acceptableImageList() { return array('jpg', 'jpeg', 'gif', 'png'); } function isImage($tag) { $tag = strtolower($tag); return in_array($tag, acceptableImageList()); } // album directory $gd = '/home/USER/albums'; // a banner $banner = '/home/USER/www/banner.jpg'; $qs = substr($_SERVER['QUERY_STRING'],0,255); $fs = urldecode($qs); $qs = ereg_replace('[\:\\?"<>\\|;]', '_', $fs); $ext = substr(strrchr($qs, "."), 1); $fullPath = $gd . $qs; if( ($qs != $fs) \|\| (!isImage($ext)) \|\| (!file_exists($fullPath)) ) { $fullPath = $banner; } @readfile($fullPath); ?> Now change in your gallery config.php file: $gallery->app->albumDir = "/home/USER/albums"; $gallery->app->albumDirURL = "http://www.modelgraphy.com/galimg.php?"; $gallery->app->userDir = "/home/USER/albums/.users"; Replace USER and that domain accordingly and make sure albums is not in your document root. I prefere another method: config.php: $gallery->app->albumDir = "/home/USER/albums"; $gallery->app->albumDirURL = "http://www.modelgraphy.com/albums"; $gallery->app->userDir = "/home/USER/albums/.users"; .htaccess: RewriteEngine on RewriteRule ^albums(.) /galimg.php?$1 This disguises the script file and allows easier switching (some banners for hot linkers :D ) So now don't forget to move your albums diretory into the proper location :P Some words to the script. It makes some security checks and allows only those 4 image file types to be send :D If something else is requested, the banner is sent. Have fun with this Rowald This works perfectly for [url]www.modelgraphy.com[/url]
	XUser login Username: * Password: * Create new account Request new password
h0bbel Joined: 2002-07-28 Posts: 13451	Posted: Sun, 2005-06-05 06:49
	Thanks. Would you mind adding it as a user contributed note to the docs @ http://gallery.sf.net/docs.php ?

Rowald Joined: 2005-06-05 Posts: 27	Posted: Sun, 2005-06-05 07:06
	not done editing yet ;-)

h0bbel Joined: 2002-07-28 Posts: 13451	Posted: Sun, 2005-06-05 07:16
	Rowald, great! I'll make sure that this makes it into the new and improved (tm) docs.

Rowald Joined: 2005-06-05 Posts: 27	Posted: Sun, 2005-06-05 07:29
	Hey h0bbel, Thanks and I hope this helps others and doesn't come too late. I had some connection issues, that's why it took long to post this, but now its up and its intended to help others, so please feel free to repost. Well and I will be happy to hear improvement tips. Too many things to take into account when it is about security. Rowald

Rowald Joined: 2005-06-05 Posts: 27	Posted: Mon, 2005-06-06 19:42
	Sorry, I've deleted `$qs = strip_tags($qs,'');` from the php code above. Its not needed and its faster without. Rowald

XUser login