Hi guys,
A guy registered at my site with a phony name, then there was no activity for 29 minutes (got that from my log file), and THEN proceeded to view a sub-album 2 levels deep!! I have set the permissions on this sub-album set to allow anyone "logged in" since the sub-album 1-level deep has a list of people that can view, I figured that no one would know the EXACT url for the 2-level deep subalbum (WRONG!).
:-?
So, my question is, how can oen figure out the exact URLs of albums you cant even see? FYI, I have not yet figured out how you guys use the .htaccess file. Still learning...
Any hints to secure woudl be greatly apprecaited!!
Thanks,
Ajoy
Posts: 8194
[edited]
I'll improve the securing docs about how to prevent this.
Posts: 65
Andrew,
2 questions, how did you figure out that the albums are in the 'albums' directory and...2nd, could you not leave the albums exposed like this and get rid of the url that you posted!!
I know I asked fo rit, but I don't mean present my sites vunerabilty to everyone! :-?
Thanks!
Ajoy
PS: Nevermind, I figured the first part. It is evident from the source code, where the albums reside! Duh! That was dumb! :-?
BUT, BUT, BUT....can I change the albumdb.dat file name to something else??? Will THAT help??
Posts: 8194
No, but try adding a .htaccess file to your albums directory that looks like this:
<Files "*.dat">
deny from all
</Files>
Posts: 65
GREAT. Thanks! as regards .htaccess, do I have to edit the http.conf file in apache AND add the .htaccess file? I am a bit confused about that.
:/
Posts: 8194
No. If you have the correct "AllowOverride" settings on, .htaccess should be fine. If it doesn't work, tell me and I'll walk you through what you need to change in httpd.conf
Posts: 65
ok. I am lost. If I try to put ANYTHING in the .htaccess file (in the albums directory), the pages appear without images!
I have set up httpd.conf file as follows:
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory c:\Apache\htdocs>
AllowOverride Options FileInfo
</Directory>
<Directory c:\apache\htdocs\albums>
Options None
AllowOverride All
</Directory>
<Directory c:\apache\htdocs\album>
Options Indexes FollowSymLinks MultiViews
AllowOverride Options FileInfo
</Directory>
Bet something is wrong there, right? Do I need to restart the Apache server, or does it pick up these changes automatically?
Like I said, me still learning...(still, after so many years!!)
Ajoy
Posts: 32509
if you change httpd.conf you gotta restart apache.
Posts: 65
ok. I did that, and still all I get is the html page but no images come through
So, this is my .htaccess code..
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.ajoy.no-ip.org/.*$ [NC]
RewriteCond %{REMOTE_HOST} ^.*\.shutterfly.com$ [NC]
RewriteRule ^/albums/.*\.(jpg|gif|avi|png)$ - [F]
</IfModule>
<Files "*.dat">
deny from all
</Files>