"major security flaw"

ramo84

Joined: 2005-01-27
Posts: 12

Posted: Thu, 2006-02-02 07:15

Don't know if i've done something wrong.
But i've got some hidden albums which require the "Logged In" permission

but if a user copies the link of a restricted pic in a forum, any user can view the picture, as well as all pics in that album

i've had to drop a blank index.htm file into each of the albums i want restricted.

just want to know why u need security permissions to view an album, but a folder is publically viewable?

like is someone knew the name of an album, all they have to do is type aaa.jpg after (cos thats how i have mine setup) and view the pics in my folder, even though its got an index file in there

thanks in advance

The following information is required to get an answer:
Get this information from the PHP diagnostic (in the configuration wizard).
Gallery URL (optional but very useful):
Gallery version: 1.5.1
Apache version: Apache/1.3.33 (Unix)
PHP version (don't just say PHP 4, please): 4.4.2
Graphics Toolkit: -
Operating system: -
Web browser/version (if applicable): Powweb hosting

h0bbel

Joined: 2002-07-28
Posts: 13451

Posted: Thu, 2006-02-02 11:28

All of this is entirely correct, and is adressed in Gallery 2. The permissions system in Gallery 1.x has been this way since day one, and will not be changed in that branch. You can however limit the possibility of someone crawling your site like that, with .htaccess limitations on who can grab the .dat files. Have a look at http://codex.gallery2.org/index.php/Gallery1:Securing for more info.

h0bbel - Gallery Team
If you found my help useful, please consider donating to Gallery
http://h0bbel.p0ggel.org

fryfrog

Joined: 2002-10-30
Posts: 3236

Posted: Thu, 2006-02-02 11:34

Dang dude...

You have your /albums/ dir in the same dir as your website. Isn't it fairly obvious that it would be web accessible? I'm pretty sure 98% of the other image hosting applications work the same way too. It is just the fastest, easiest way to do it.

To avoid this "major security flaw" you might choose to use Gallery 2, which filters *all* requests through PHP *AND* does not require your /g2data/ dir to be web accessible. In fact, it is strongly recommended that it *not* be web accessible.

I gotta give you a sarcastic congratulations on finding this "major security flaw" ;)
_________________________________
Support & Documentation || Donate to Gallery || My Website

Tim_j

Joined: 2002-08-15
Posts: 6818

Posted: Thu, 2006-02-02 12:00

Hello ramo,

we take security issues VERY serious.
So be sure what you do when you make a forum post with such a topic.

As h0bbel said this is a known circumstance in G1 and is fully covered in G2.
It would be nice if you save my health and before i get a heart attack just report your next security issue to the security mailing list.
So *IF* its a security hole we can make a fix and then we can go into public.

Thanks in advance,
Jens
--
Last Gallery v1 developer and translation manager.

ramo84

Joined: 2005-01-27
Posts: 12

Posted: Fri, 2006-02-03 03:33

sorry for causing any palpitation

but i guess i just took it for granted :S

thanks for your help
back to good old manual .htaccess files for me :P

h0bbel

Joined: 2002-07-28
Posts: 13451

Posted: Fri, 2006-02-03 17:21

Thats the whole G1 architecture, G2 does it in a completely other way.

h0bbel - Gallery Team
If you found my help useful, please consider donating to Gallery
http://h0bbel.p0ggel.org

scaturan

Joined: 2004-09-12
Posts: 1153

Posted: Wed, 2006-02-08 09:44

great!

--Peter

Joined: 2005-08-30
Posts: 88

Posted: Wed, 2006-02-08 19:17

Tim_j wrote:

Quote:

It would be nice if you save my health and before i get a heart attack just report your next security issue to the security mailing list.
So *IF* its a security hole we can make a fix and then we can go into public.

and what's that security mailing list? not that I plan to submit anything, but just in case...

or are PM ok? might get the wrong guy though...

thanks,
-- Peter
http://www.schumacher.ch/foto

Tim_j

Joined: 2002-08-15
Posts: 6818

Posted: Wed, 2006-02-08 19:29

security AT gallery DOT menalto DOT com

Jens
--
Last Gallery v1 developer and translation manager.

ramo84 Joined: 2005-01-27 Posts: 12	Posted: Thu, 2006-02-02 07:15
	Don't know if i've done something wrong. But i've got some hidden albums which require the "Logged In" permission but if a user copies the link of a restricted pic in a forum, any user can view the picture, as well as all pics in that album i've had to drop a blank index.htm file into each of the albums i want restricted. just want to know why u need security permissions to view an album, but a folder is publically viewable? like is someone knew the name of an album, all they have to do is type aaa.jpg after (cos thats how i have mine setup) and view the pics in my folder, even though its got an index file in there thanks in advance The following information is required to get an answer: Get this information from the PHP diagnostic (in the configuration wizard). Gallery URL (optional but very useful): Gallery version: 1.5.1 Apache version: Apache/1.3.33 (Unix) PHP version (don't just say PHP 4, please): 4.4.2 Graphics Toolkit: - Operating system: - Web browser/version (if applicable): Powweb hosting
	XUser login Username: * Password: * Create new account Request new password
h0bbel Joined: 2002-07-28 Posts: 13451	Posted: Thu, 2006-02-02 11:28
	All of this is entirely correct, and is adressed in Gallery 2. The permissions system in Gallery 1.x has been this way since day one, and will not be changed in that branch. You can however limit the possibility of someone crawling your site like that, with .htaccess limitations on who can grab the .dat files. Have a look at http://codex.gallery2.org/index.php/Gallery1:Securing for more info. h0bbel - Gallery Team If you found my help useful, please consider donating to Gallery http://h0bbel.p0ggel.org

fryfrog Joined: 2002-10-30 Posts: 3236	Posted: Thu, 2006-02-02 11:34
	Dang dude... You have your /albums/ dir in the same dir as your website. Isn't it fairly obvious that it would be web accessible? I'm pretty sure 98% of the other image hosting applications work the same way too. It is just the fastest, easiest way to do it. To avoid this "major security flaw" you might choose to use Gallery 2, which filters all requests through PHP AND does not require your /g2data/ dir to be web accessible. In fact, it is strongly recommended that it not be web accessible. I gotta give you a sarcastic congratulations on finding this "major security flaw" ;) _________________________________ Support & Documentation \|\| Donate to Gallery \|\| My Website

Tim_j Joined: 2002-08-15 Posts: 6818	Posted: Thu, 2006-02-02 12:00
	Hello ramo, we take security issues VERY serious. So be sure what you do when you make a forum post with such a topic. As h0bbel said this is a known circumstance in G1 and is fully covered in G2. It would be nice if you save my health and before i get a heart attack just report your next security issue to the security mailing list. So IF its a security hole we can make a fix and then we can go into public. Thanks in advance, Jens -- Last Gallery v1 developer and translation manager.

ramo84 Joined: 2005-01-27 Posts: 12	Posted: Fri, 2006-02-03 03:33
	sorry for causing any palpitation but i guess i just took it for granted :S thanks for your help back to good old manual .htaccess files for me :P

h0bbel Joined: 2002-07-28 Posts: 13451	Posted: Fri, 2006-02-03 17:21
	Thats the whole G1 architecture, G2 does it in a completely other way. h0bbel - Gallery Team If you found my help useful, please consider donating to Gallery http://h0bbel.p0ggel.org

scaturan Joined: 2004-09-12 Posts: 1153	Posted: Wed, 2006-02-08 09:44
	great!

--Peter Joined: 2005-08-30 Posts: 88	Posted: Wed, 2006-02-08 19:17
	Tim_j wrote: Quote: It would be nice if you save my health and before i get a heart attack just report your next security issue to the security mailing list. So IF its a security hole we can make a fix and then we can go into public. and what's that security mailing list? not that I plan to submit anything, but just in case... or are PM ok? might get the wrong guy though... thanks, -- Peter http://www.schumacher.ch/foto

Tim_j Joined: 2002-08-15 Posts: 6818	Posted: Wed, 2006-02-08 19:29
	security AT gallery DOT menalto DOT com Jens -- Last Gallery v1 developer and translation manager.

"major security flaw"

XUser login