Forum

Neues Thema

Nachricht		Newest post at the top.

security tips

In a shared server environemt or as a result of an intrusion one cannot prevent that someone droppes a file into your album directory.

A little help is to prevent access to those files. You can do this if you can use .htaccess files and mod_rewrite is installed.

Add this to your .htaccess file:


RewriteEngine on

RewriteRule ^albums/.*\.(jpg|jpeg|gif)$ - [L, NC]

RewriteRule ^albums(.*) - [F, NC]

This will cause an access to fail for other then those listed extensions.

You can enhance this with reporting:


RewriteEngine on

RewriteRule ^albums/.*\.(jpg|jpeg|gif)$ - [L, NC]

RewriteRule ^albums(.*) /report.php [R, NC]

This will give some false alerts as Nimbda is still around and will trigger this.

You can prevent this at perfomance cost:


RewriteEngine on

RewriteCond %{REQUEST_FILENAME} -f

RewriteRule ^albums/.*\.(jpg|jpeg|gif)$ - [L, NC]

RewriteRule ^albums(.*) /report.php [R, NC]

Yo shit, I know how to get around this, but some will step into this.

Oki why not moving albums out of the document root? I did this long ago, but didn't realize how easy it is to use with Gallery.

Save this code into a file e.g. galimg.php:

<?

function acceptableImageList() {

  return array('jpg', 'jpeg', 'gif', 'png');

}


function isImage($tag) {

  $tag = strtolower($tag);

  return in_array($tag, acceptableImageList());

}



 // album directory


 $gd =   '/home/USER/albums';


 // a banner


 $banner = '/home/USER/www/banner.jpg';



 $qs = substr($_SERVER['QUERY_STRING'], 0, 255);

 $qs = strip_tags($qs, '');


 $fs = urldecode($qs);

 $qs = ereg_replace('[\:\*\?"<>\|;]', '_', $fs);



 $ext = substr(strrchr($qs, "."), 1);



 $fullPath = $gd . $qs;

 if( ($qs != $fs) || (!isImage($ext)) || (!file_exists($fullPath)) ) {

  $fullPath = $banner;

 }


 @readfile($fullPath);


?>

Now change in your gallery config.php file:


$gallery->app->albumDir = "/home/USER/albums";

$gallery->app->albumDirURL = "https://www.modelgraphy.com/galimg.php?";

$gallery->app->userDir = "/home/USER/albums/.users";

Replace USER and that domain accordingly and make sure albums is not in your document root.

I prefere another method:
config.php:


$gallery->app->albumDir = "/home/USER/albums";

$gallery->app->albumDirURL = "https://www.modelgraphy.com/albums";

$gallery->app->userDir = "/home/USER/albums/.users";

.htaccess:

RewriteEngine on

RewriteRule  ^albums(.*)  /galimg.php?$1

This disguises the script file and allows easier switching (some banners for hot linkers 😁 )

So now don't forget to move your albums directory into the proper location

Some words to the script. It makes some security checks and allows only those 4 image file types to be send

If something else is requested, the banner is sent.

Have fun with this
Rowald

This works perfectly for www.modelgraphy.com

 

Author:admin

2005-06-05

Neues Thema

