admin
Site Admin
Joined: 02 Jun 2004
Posts: 64
|
 Posted: 2005-Jun-04 22:05 Post subject: security tips |
 |
|
In a shared server environemt or as a result of an intrusion one cannot prevent that someone droppes a file into your album directory.
A little help is to prevent access to those files. You can do this if you can use .htaccess files and mod_rewrite is installed.
Add this to your .htaccess file: | Code: |
RewriteEngine on
RewriteRule ^albums/.*\.(jpg|jpeg|gif)$ - [L,NC]
RewriteRule ^albums(.*) - [F,NC]
|
This will cause an access to fail for other then those listed extensions.
You can enhance this with reporting: | Code: |
RewriteEngine on
RewriteRule ^albums/.*\.(jpg|jpeg|gif)$ - [L,NC]
RewriteRule ^albums(.*) /report.php [R,NC]
|
This will give some false alerts as Nimbda is still around and will trigger this.
You can prevent this at perfomance cost: | Code: |
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^albums/.*\.(jpg|jpeg|gif)$ - [L,NC]
RewriteRule ^albums(.*) /report.php [R,NC]
|
Yo shit, I know how to get around this, but some will step into this.
Oki why not moving albums out of the document root? I did this long ago, but didn't realize how easy it is to use with Gallery.
Save this code into a file e.g. galimg.php:
| Code: | <?
function acceptableImageList() {
return array('jpg', 'jpeg', 'gif', 'png');
}
function isImage($tag) {
$tag = strtolower($tag);
return in_array($tag, acceptableImageList());
}
// album directory
$gd = '/home/USER/albums';
// a banner
$banner = '/home/USER/www/banner.jpg';
$qs = substr($_SERVER['QUERY_STRING'],0,255);
$qs = strip_tags($qs,'');
$fs = urldecode($qs);
$qs = ereg_replace('[\:\*\?"<>\|;]', '_', $fs);
$ext = substr(strrchr($qs, "."), 1);
$fullPath = $gd . $qs;
if( ($qs != $fs) || (!isImage($ext)) || (!file_exists($fullPath)) ) {
$fullPath = $banner;
}
@readfile($fullPath);
?>
|
Now change in your gallery config.php file: | Code: |
$gallery->app->albumDir = "/home/USER/albums";
$gallery->app->albumDirURL = "http://www.modelgraphy.com/galimg.php?";
$gallery->app->userDir = "/home/USER/albums/.users"; |
Replace USER and that domain accordingly and make sure albums is not in your document root.
I prefere another method:
config.php: | Code: |
$gallery->app->albumDir = "/home/USER/albums";
$gallery->app->albumDirURL = "http://www.modelgraphy.com/albums";
$gallery->app->userDir = "/home/USER/albums/.users"; |
.htaccess: | Code: | RewriteEngine on
RewriteRule ^albums(.*) /galimg.php?$1 |
This disguises the script file and allows easier switching (some banners for hot linkers  )
So now don't forget to move your albums directory into the proper location 
Some words to the script. It makes some security checks and allows only those 4 image file types to be send If something else is requested, the banner is sent.
Have fun with this
Rowald
This works perfectly for www.modelgraphy.com |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
