Php photo gallery TWG | JFUploader | TWG Flash upload | WFU | Forum
http://www.tinywebgallery.com/forum/

password bypass
http://www.tinywebgallery.com/forum/php-photo-gallery-bugs-f5/password-bypass-t2216.html
Page 1 of 1

Author:  user009 [ 25. Oct 2009, 11:03 ]
Post subject:  password bypass

Hi,

is it a bug, that you can bypass the password check if you know the filename of an image?

E.g.
/i_frames/i_popup.php?twg_album=<directory name album>&twg_show=<filename image>
You can find every directoy name of an album in the source code of the main page.

or
/cache/<directory name album>_<filename image>.thumb.jpg
(Btw. when I set the cache dir to 744 instead of 774 no thumbs are shown in the album view anymore even if I have the password)

Maybe it is not so easy to find the proper filename but whate happens if I give an user just temp access? I won´t change the filenames afterwards.
Another problem could be that an user has access to one album but not another. Due to the pattern of the filenames of "his album" he could make a very good guess of filenmane from other albums.

Is there a solution for this problem?
Thanks.

rgds
user009

Author:  TinyWebGallery [ 25. Oct 2009, 20:55 ]
Post subject: 

Hi,

for the first thing I just implemented the password check. I'm currently testing this.

about the cache: there are 2 parameters you have to set. but be aware that changing this causes that a php instance is started for each image.
http://www.tinywebgallery.com/en/faq.php#h1 -> 4.

I'll have the new version already running in the demo's. If no errors come in the log file till tomorrow i'll update the download.

- Michael

Author:  user009 [ 28. Oct 2009, 21:13 ]
Post subject: 

TinyWebGallery wrote:
about the cache: there are 2 parameters you have to set. but be aware that changing this causes that a php instance is started for each image.
http://www.tinywebgallery.com/en/faq.php#h1 -> 4.
l


Thanks. What is the impact in terms of perfomance? Is this setting a little bit slower (10-30%) or massive like 5 times?

rgds,
User009

Author:  TinyWebGallery [ 28. Oct 2009, 22:19 ]
Post subject: 

For each image a php instance has to be startet - the cached images can be diretly delivered.
So the CPU load is much higher. You have to test on your server.

But I would more say factor 5 than 20%. But if you don't really much images I think you won't notice the difference on the user side.

- Michael

Author:  user009 [ 1. Nov 2009, 14:34 ]
Post subject: 

TinyWebGallery wrote:
I just implemented the password check. I'm currently testing this.


Did you have the chance to check the bypass issue with /i_frames/i_popup.php ?

rgds
user009

Author:  TinyWebGallery [ 1. Nov 2009, 22:05 ]
Post subject: 

if you don't use the direct mode this already works.

If you tell that originals are shown in the popup then I have no change to check this.
for all calls over the image.php the check is now done.

- Michael

Page 1 of 1 All times are UTC + 1 hour [ DST ]
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/