We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Get started
Google+

BIG PROBLEM! Photo's from private site are visible to public/non registered. - Photo | Forum

« Back to plugin
« Back to forum topic list
shush
shush Feb 12 '13

if you know the software, all you have todo is guess the name of the pictures, and it looks like they are re-named numerically, so it's easy.


http://yrdomain.org/ow_userfiles/plugins/photo/photo_99.jpg


try it, Login, right click the picture, select open image in new tab, it should take you to a page that is just the picture on a blank screen, copy the url.

Sign out, paste the url and it will show you the same page.


Which means the photo directory is not protected by the global privacy settings.


It's happening to the new (last few days) upgrade as well as the old plugin.


Running 1.5.1 on two sites.


I need to fix this quite urgently, any suggestions.

#1
Alia Team
Alia Feb 15 '13
Shush, basically here is You, Photo and PHP script with privacy check.

When you open photo using direct URL you bypass the php privacy check and pull the data directly from the location where this photo was saved on the server.

Same applies to, for example, Facebook photos.

Currently the only way to secure access to photos via direct URL is to make photo URLs more complex. This is custom code modification.

#2
shush
shush Feb 15 '13
Thanks for the explanation Aliia,


Next question how difficult is it todo, or how much £££ or $$$ to get a custom code modification made?

#3
David A
David A Mar 31 '13
It would be great if the file names could be randomized or obscured someway.... even if it was just a setting in the photo plugin specifying where the file starts, or better yet where the uploader ran some sort of algorithm based on the time of upload and the date to randomly generate a file name for the photo....
#4
shush
shush Apr 4 '13
Quote from David A It would be great if the file names could be randomized or obscured someway.... even if it was just a setting in the photo plugin specifying where the file starts, or better yet where the uploader ran some sort of algorithm based on the time of upload and the date to randomly generate a file name for the photo....

brilliant idea.
#5
Daniel
Daniel Nov 30 '13
I agree, this is something that has bothered me as well. It's a very simple change to the codebase (and I think it should be in the plugin). Just take a hash instead of the sequential number, and add it to the database. It's a few more operations during upload, but "free" when browsing the photos.
#6
You do not have permission to reply this topic
Start | Demo | About | Policies & Licenses | Blog | Contact Us | Oxwall Foundation | Roadmap | Developer Central | Oxwall hosting | Contribute | Partners | Donation | Community software | Dating software
© Copyright Oxwall Software
Oxwall Community Software