Media Library (leak?)
Posted: Tue Sep 29, 2009 5:31 pm
A site I work on utilizes Serendipity to handle announcements, news, releases, etc. One particular use is releasing images regularly.
Sometimes, we add images to the Serendipity media library... but end up never using them. Sometimes we add images into posts that never get published and the post/image sit around as drafts.
It recently came to our attention, that some individual has been posting our images (from Serendipity) onto their site, which were loaded into our media library, but never published (post was NEVER released; nor was the image ever made public, beyond the admin interface). This is of concern to us because public release of these images is problematic if it is not actually intended.
To my knowledge, the media library and its files (viewing/browsing/etc) are only accessible from within the admin interface. Does anyone have any idea how this 3rd party individual happened to come across images from within our media library that were never publicly displayed/released/etc?
The server we run does not allow directory browsing; so the individual did not simply "load up" the directory Serendipity stores the images in. Certainly, someone could endlessly try different URLs until a match is found; but this seems highly unlikely. Our concern, is that Serendipity may have a flaw or feature we are unaware of that allows others to "view" the media library publicly (even if the images were never published within a post or made available).
Assistance/insight appreciated!
Sometimes, we add images to the Serendipity media library... but end up never using them. Sometimes we add images into posts that never get published and the post/image sit around as drafts.
It recently came to our attention, that some individual has been posting our images (from Serendipity) onto their site, which were loaded into our media library, but never published (post was NEVER released; nor was the image ever made public, beyond the admin interface). This is of concern to us because public release of these images is problematic if it is not actually intended.
To my knowledge, the media library and its files (viewing/browsing/etc) are only accessible from within the admin interface. Does anyone have any idea how this 3rd party individual happened to come across images from within our media library that were never publicly displayed/released/etc?
The server we run does not allow directory browsing; so the individual did not simply "load up" the directory Serendipity stores the images in. Certainly, someone could endlessly try different URLs until a match is found; but this seems highly unlikely. Our concern, is that Serendipity may have a flaw or feature we are unaware of that allows others to "view" the media library publicly (even if the images were never published within a post or made available).
Assistance/insight appreciated!