Enhanced Security

EduFabbri · October 7th, 2011, 04:21 PM

As far as I saw photos in VBGallery are simple "stored" in a folder of the server.

Since some categories can be set as "secured by password", or simple denied to some usergroups, I assumed there was some kind of security embedded. I've changed .htaccess file how it's described here and hence supposed everything was fine.

A pair of days ago, one friend emailed me a "secured" photo in it's full view. How did he do it? It was simpler than I imagined. He entered the user's profile and saw the thumbnail. He right clicked over the thumbnail, just rewrote the url and ... voila !! there was the full size image.

His words were.... "Your photo protection is a bad joke...."

He later told me there is a way to trully protect the photos and it involves using GD, geting the images in a folder with no user access and then doing something like this:

Code:

Content visible to verified customers only.

I was embarrassed that I had spent money in a Gallery system that doesn't protect my users.... Now I'm working in code to entirely overwrite the code since this is more than unacceptable for my kind of page.

Just wanted you to know it...

Edu

Chuck S · October 8th, 2011, 10:15 AM

Anyone if they know how to grab an image can. There is really no full proof way to protect images. An image is cached on the users computer so they have your image and most do not even know this.

If you do not use image protection and the user knows the real url to the image they will be able to view it. Viewing permissions are meant for use in the software using the script not fooling your server which is an entirely different thing.

vbGallery does not have all the image protection our Pro package does but I do beleive you can use GD2 to apply on the fly watermarking which will use a script to load the images hense the user is not shown the full url to the file.

However as stated if someone can guess the url to a file they will always be able to view it as there is nothing to stop them no script nothing they are simply viewing a file on your server has nothing to do with the script. You can prevent hotlinking so your images can not be viewed off other sites but there is a limit to what one can do.

Code you reference is already in place when on the fly watermarking is used you can check that out in the files. The point I am merely saying is images are always viewable if someone knows the full direct url to it.

An extra level of protection we use in the Pro product is where we change the storage url to a folder below the webroot. You can try Pro if you wish to investigate the storage capabilities of that product.