Var folder exposure

udaraaka

Joined: 2012-02-03
Posts: 29

Posted: Sat, 2012-09-08 07:03

Hi, I found that the var/albums folder in my gallery is exposed to everyone, I mean if I access the URL myexamplesite.com/var/albums , all folders and photos are visible. I think you guys should put a .htaccess with Options -Indexes to protect that folder from public. This is my opinion there may be some better solutions.

floridave

Joined: 2003-12-22
Posts: 27300

Posted: Sat, 2012-09-08 07:12

FAQ: Are my photos secure? They're right there on my website!

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

tempg

Joined: 2005-12-17
Posts: 1857

Posted: Sat, 2012-09-08 16:50

For some reason, @floridave's link got changed; it was meant to be:
http://codex.gallery2.org/Gallery3:FAQ#Are_my_photos_secure.3F_They.27re_right_there_on_my_website.21

udaraaka

Joined: 2012-02-03
Posts: 29

Posted: Sun, 2012-09-09 02:03

Ok, You guys didn't get my point. I mean even when photos are public and viewable by everyone they are supposed to view through the website. Not by browsing the URLs. Why do we allow this? few days ago, awstats log for one of my websites showed me sudden 20GB increase in my bandwidth usage and increased amount of hits on images. I am sure someone has grabbed all my contents without browsing the gallery because no significant increase in page views. This can happen to others too and I think you guys should prevent that. Its just one file with few bytes.

Anyway thanks for your replies floridave and tempg.

floridave

Joined: 2003-12-22
Posts: 27300

Posted: Sun, 2012-09-09 03:22

No we don't get your point.
Directory listing is not permitted on my test server:
http://www.langleycom.com/gallery3/var/albums/
Not special config, just that way out of the box. Most hosts have some control panel or other method to disallow directory listings.

If images are public; the public can view them. If you set permissions for the public not to view them; then they can't.

You need to do a better job of explaining what you are after. perhaps some real urls will help us understand.

Dave

_____________________________________________
Blog & G2 || floridave - Gallery Team

udaraaka

Joined: 2012-02-03
Posts: 29

Posted: Sun, 2012-09-09 04:39

Well, look at these links from gallery site directory websites.

http://www.arabaresimleri2.com/var/albums/

http://www.travelseyahat.com/var/albums/

http://www.mutluduvar.com/var/albums/

http://www.rapidhero.com/var/albums/

http://www.yudumtatar.com/var/albums/

http://www.futbolcuresimleri.net/var/albums/

http://www.kolaybeldesi.com/var/albums/

floridave

Joined: 2003-12-22
Posts: 27300

Posted: Sun, 2012-09-09 05:33

Well I just demonstrated:

floridave wrote:

Directory listing is not permitted on my test server:
http://www.langleycom.com/gallery3/var/albums/

that directory listings can be turned off and they are by default on my host.
Perhaps those sites don't care?

There is many ways to disable that if you so desire.

some random google search wrote:

First of all find where is the main apache’s config file httpd.conf is located. If you use Debian, it should be here: /etc/apache/httpd.conf. Using some file editor like Vim or Nano open this file and find the line that looks as follows:

Options Includes Indexes FollowSymLinks MultiViews

then remove word Indexes and save the file. The line should look like this one:

Options Includes FollowSymLinks MultiViews

After it is done, restart apache (e.g. /etc/init.d/apache restart in Debian). That’s it!

a different method mentioned before wrote:

Login to your CPanel
Click on Index Manager
Directory will be list down. Click on the directory name which you want to disable the directory browsing
Select No Index and click Save
The directory browsing feature should be disable by now

Different methods for different users:
http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/

I don't think it is up to the application to provide this. Some would argue that adding .htaccess files would cause more issues than solve. Adding .htaccess rules would be the only way that we could do it.

If you feel very strongly that it should be addressed, then feel free to create a ticket:
https://sourceforge.net/apps/trac/gallery/newticket

Dave

_____________________________________________
Blog & G2 || floridave - Gallery Team

tempg

Joined: 2005-12-17
Posts: 1857

Posted: Sun, 2012-09-09 12:08

Some people care strongly about this, some don't care at all, and a few fall in between. I think your point is valid to assist those that care strongly but don't know how to address it. But I also think that those who care strongly most likely have already disabled indexing site-wide. At the end of the day, it's a judgment call and I don't think it's wrong to do this either way. (For those that care, this is normally brought up as a general security issue rather than in terms of accessing images--since it's generally known that even adding this line won't "protect" images.)

If I'm reading you correctly, you've already implemented the easiest solution (ie adding "Options -Indexes" to your htaccess file), but are recommending that that line be added to the htaccess that ships with Gallery. If that's correct, then the best course is to create the ticket, as recommended above.

udaraaka wrote:

sudden 20GB increase in my bandwidth usage and increased amount of hits on images

Could also be search engines indexing them. If you want to know for sure, check your access logs.

udaraaka Joined: 2012-02-03 Posts: 29	Posted: Sat, 2012-09-08 07:03
	Hi, I found that the var/albums folder in my gallery is exposed to everyone, I mean if I access the URL myexamplesite.com/var/albums , all folders and photos are visible. I think you guys should put a .htaccess with Options -Indexes to protect that folder from public. This is my opinion there may be some better solutions.
	XUser login Username: * Password: * Create new account Request new password
floridave Joined: 2003-12-22 Posts: 27300	Posted: Sat, 2012-09-08 07:12
	FAQ: Are my photos secure? They're right there on my website! Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team

tempg Joined: 2005-12-17 Posts: 1857	Posted: Sat, 2012-09-08 16:50
	For some reason, @floridave's link got changed; it was meant to be: http://codex.gallery2.org/Gallery3:FAQ#Are_my_photos_secure.3F_They.27re_right_there_on_my_website.21

udaraaka Joined: 2012-02-03 Posts: 29	Posted: Sun, 2012-09-09 02:03
	Ok, You guys didn't get my point. I mean even when photos are public and viewable by everyone they are supposed to view through the website. Not by browsing the URLs. Why do we allow this? few days ago, awstats log for one of my websites showed me sudden 20GB increase in my bandwidth usage and increased amount of hits on images. I am sure someone has grabbed all my contents without browsing the gallery because no significant increase in page views. This can happen to others too and I think you guys should prevent that. Its just one file with few bytes. Anyway thanks for your replies floridave and tempg.

floridave Joined: 2003-12-22 Posts: 27300	Posted: Sun, 2012-09-09 03:22
	No we don't get your point. Directory listing is not permitted on my test server: http://www.langleycom.com/gallery3/var/albums/ Not special config, just that way out of the box. Most hosts have some control panel or other method to disallow directory listings. If images are public; the public can view them. If you set permissions for the public not to view them; then they can't. You need to do a better job of explaining what you are after. perhaps some real urls will help us understand. Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team

udaraaka Joined: 2012-02-03 Posts: 29	Posted: Sun, 2012-09-09 04:39
	Well, look at these links from gallery site directory websites. http://www.arabaresimleri2.com/var/albums/ http://www.travelseyahat.com/var/albums/ http://www.mutluduvar.com/var/albums/ http://www.rapidhero.com/var/albums/ http://www.yudumtatar.com/var/albums/ http://www.futbolcuresimleri.net/var/albums/ http://www.kolaybeldesi.com/var/albums/

floridave Joined: 2003-12-22 Posts: 27300	Posted: Sun, 2012-09-09 05:33
	Well I just demonstrated: floridave wrote: Directory listing is not permitted on my test server: http://www.langleycom.com/gallery3/var/albums/ that directory listings can be turned off and they are by default on my host. Perhaps those sites don't care? There is many ways to disable that if you so desire. some random google search wrote: First of all find where is the main apache’s config file httpd.conf is located. If you use Debian, it should be here: /etc/apache/httpd.conf. Using some file editor like Vim or Nano open this file and find the line that looks as follows: Options Includes Indexes FollowSymLinks MultiViews then remove word Indexes and save the file. The line should look like this one: Options Includes FollowSymLinks MultiViews After it is done, restart apache (e.g. /etc/init.d/apache restart in Debian). That’s it! a different method mentioned before wrote: Login to your CPanel Click on Index Manager Directory will be list down. Click on the directory name which you want to disable the directory browsing Select No Index and click Save The directory browsing feature should be disable by now Different methods for different users: http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/ I don't think it is up to the application to provide this. Some would argue that adding .htaccess files would cause more issues than solve. Adding .htaccess rules would be the only way that we could do it. If you feel very strongly that it should be addressed, then feel free to create a ticket: https://sourceforge.net/apps/trac/gallery/newticket Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team

tempg Joined: 2005-12-17 Posts: 1857	Posted: Sun, 2012-09-09 12:08
	Some people care strongly about this, some don't care at all, and a few fall in between. I think your point is valid to assist those that care strongly but don't know how to address it. But I also think that those who care strongly most likely have already disabled indexing site-wide. At the end of the day, it's a judgment call and I don't think it's wrong to do this either way. (For those that care, this is normally brought up as a general security issue rather than in terms of accessing images--since it's generally known that even adding this line won't "protect" images.) If I'm reading you correctly, you've already implemented the easiest solution (ie adding "Options -Indexes" to your htaccess file), but are recommending that that line be added to the htaccess that ships with Gallery. If that's correct, then the best course is to create the ticket, as recommended above. udaraaka wrote: sudden 20GB increase in my bandwidth usage and increased amount of hits on images Could also be search engines indexing them. If you want to know for sure, check your access logs.

Var folder exposure

XUser login