A site I work on utilizes Serendipity to handle announcements, news, releases, etc. One particular use is releasing images regularly.
Sometimes, we add images to the Serendipity media library... but end up never using them. Sometimes we add images into posts that never get published and the post/image sit around as drafts.
It recently came to our attention, that some individual has been posting our images (from Serendipity) onto their site, which were loaded into our media library, but never published (post was NEVER released; nor was the image ever made public, beyond the admin interface). This is of concern to us because public release of these images is problematic if it is not actually intended.
To my knowledge, the media library and its files (viewing/browsing/etc) are only accessible from within the admin interface. Does anyone have any idea how this 3rd party individual happened to come across images from within our media library that were never publicly displayed/released/etc?
The server we run does not allow directory browsing; so the individual did not simply "load up" the directory Serendipity stores the images in. Certainly, someone could endlessly try different URLs until a match is found; but this seems highly unlikely. Our concern, is that Serendipity may have a flaw or feature we are unaware of that allows others to "view" the media library publicly (even if the images were never published within a post or made available).
Assistance/insight appreciated!
Media Library (leak?)
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: Media Library (leak?)
Hi!
As soon as someone knows the filename of an uploaded image, it can be fetched through HTTP without a problem.
When you upload images to any folder that does not enforce user read permissions, it can be publically viewable through "guessing" any ID. There's actually no real way to upload an image to be publically viewable, without it being "automatically" viewable as well.
I suggest you do to this: Create a media directory that only has read permissions for the editor usergroups that your editors belong to. Upload your images there. And the images you actually want to USE, you should move to the public folder.
Then, when somebody uses an ID to a picture that lies in a protected folder, it cannot be seen by ID.
Of course, if the users know your filename, they can easily call it via HTTP none the less.
HTH,
Garvin
As soon as someone knows the filename of an uploaded image, it can be fetched through HTTP without a problem.
When you upload images to any folder that does not enforce user read permissions, it can be publically viewable through "guessing" any ID. There's actually no real way to upload an image to be publically viewable, without it being "automatically" viewable as well.
I suggest you do to this: Create a media directory that only has read permissions for the editor usergroups that your editors belong to. Upload your images there. And the images you actually want to USE, you should move to the public folder.
Then, when somebody uses an ID to a picture that lies in a protected folder, it cannot be seen by ID.
Of course, if the users know your filename, they can easily call it via HTTP none the less.
HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/