Php photo gallery TWG | JFUploader | TWG Flash upload | WFU | Forum

Get help for TinyWebGallery, the best image gallery. The forum is also home for the Joomla JFUploader, TWG Flash Uploader and the Wordpress flash uploader.
It is currently 1. Nov 2024, 02:14

This forum is readonly now. Please use the new forum if you don't find the answer to your question here. The new forum is at https://www.tinywebgallery.com/blog/forum/


All times are UTC + 1 hour [ DST ]




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: password bypass
PostPosted: 25. Oct 2009, 11:03 
Offline

Joined: 25. Oct 2009, 10:41
Posts: 6
Hi,

is it a bug, that you can bypass the password check if you know the filename of an image?

E.g.
/i_frames/i_popup.php?twg_album=<directory name album>&twg_show=<filename image>
You can find every directoy name of an album in the source code of the main page.

or
/cache/<directory name album>_<filename image>.thumb.jpg
(Btw. when I set the cache dir to 744 instead of 774 no thumbs are shown in the album view anymore even if I have the password)

Maybe it is not so easy to find the proper filename but whate happens if I give an user just temp access? I won´t change the filenames afterwards.
Another problem could be that an user has access to one album but not another. Due to the pattern of the filenames of "his album" he could make a very good guess of filenmane from other albums.

Is there a solution for this problem?
Thanks.

rgds
user009


Top
 Profile  
 
 Post subject:
PostPosted: 25. Oct 2009, 20:55 
Offline
Site Admin
User avatar

Joined: 1. Aug 2005, 12:53
Posts: 11232
Hi,

for the first thing I just implemented the password check. I'm currently testing this.

about the cache: there are 2 parameters you have to set. but be aware that changing this causes that a php instance is started for each image.
http://www.tinywebgallery.com/en/faq.php#h1 -> 4.

I'll have the new version already running in the demo's. If no errors come in the log file till tomorrow i'll update the download.

- Michael


Top
 Profile  
 
 Post subject:
PostPosted: 28. Oct 2009, 21:13 
Offline

Joined: 25. Oct 2009, 10:41
Posts: 6
TinyWebGallery wrote:
about the cache: there are 2 parameters you have to set. but be aware that changing this causes that a php instance is started for each image.
http://www.tinywebgallery.com/en/faq.php#h1 -> 4.
l


Thanks. What is the impact in terms of perfomance? Is this setting a little bit slower (10-30%) or massive like 5 times?

rgds,
User009


Top
 Profile  
 
 Post subject:
PostPosted: 28. Oct 2009, 22:19 
Offline
Site Admin
User avatar

Joined: 1. Aug 2005, 12:53
Posts: 11232
For each image a php instance has to be startet - the cached images can be diretly delivered.
So the CPU load is much higher. You have to test on your server.

But I would more say factor 5 than 20%. But if you don't really much images I think you won't notice the difference on the user side.

- Michael


Top
 Profile  
 
 Post subject:
PostPosted: 1. Nov 2009, 14:34 
Offline

Joined: 25. Oct 2009, 10:41
Posts: 6
TinyWebGallery wrote:
I just implemented the password check. I'm currently testing this.


Did you have the chance to check the bypass issue with /i_frames/i_popup.php ?

rgds
user009


Top
 Profile  
 
 Post subject:
PostPosted: 1. Nov 2009, 22:05 
Offline
Site Admin
User avatar

Joined: 1. Aug 2005, 12:53
Posts: 11232
if you don't use the direct mode this already works.

If you tell that originals are shown in the popup then I have no change to check this.
for all calls over the image.php the check is now done.

- Michael


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron
powered by phpbb | Datenschutz/ Privacy policy