lighttpd and .htaccess security

hollaho

Joined: 2009-09-20
Posts: 10
Posted: Wed, 2012-09-26 07:18

There are sufficient instructions to get gallery3 installed and working on lighttpd but one security issue seems to remain:

Whoever knows the link to a specific image can access it without beeing logged in even if the permissions for the image are restricted in gallery3. And if he can guess the filenames for the other images then he can access them as well.

Is there a way around this? Some way to get the .htaccess better translated? Or does this problem also exist when using apache server and is really a general issue?

How exactly does the .htaccess prevent people knowing the exact deeplink from accessing the file without beeing logged in?

 
floridave
floridave's picture

Joined: 2003-12-22
Posts: 27300
Posted: Wed, 2012-09-26 12:28

The issue does not exist on the supported platform.
FAQ: Are my photos secure? They're right there on my website!

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

 
hollaho

Joined: 2009-09-20
Posts: 10
Posted: Wed, 2012-09-26 18:52

Quite possible. I am using lighty however.

But it would be interesting to know how exactly that .htaccess protects the files on apache/linux. Then one can possibly adapt that mechanism also for lighttpd.

I am anyway curious how a .htaccess file locks down files "like fort knox" and manages to check the login/group credentials. If it is simply a redirect and a certain php then passes the file through after checking then one should find a way to put that redirect also on lighty.