store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sat Nov 01, 2014 8:26 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: Joomla Security question regarding images
Unread postPosted: Wed Nov 09, 2011 12:58 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
Hi,

I'm facing a "task" regarding file security in Joomla CMS.
Basically it's a general security question.

I have content/articles that are only available for registered users. After login they can view them.
In those articles are images. But those images can be opened directly by entering the URL like: http://www.my_domain.com/imahes/myfolder/image.jpg
In this case those images are the most important part and they should not be accessable for pulbic.

How do you achieve this task?
By the hotlinking-htaccess-rewrite method like this? Is this safe enough?

Code:
 RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://my_domain/.*$ [NC] [OR]
RewriteCond %{HTTP_REFERER} !^http://www.my_domain/.*$ [NC] [OR]
RewriteRule .*\.(gif|GIF|jpg|JPG|bmp|BMP|wav)$ - [F]


Or by putting an htaccess into the images folder like this?
Code:
order deny, allow
deny from all
allow from localhost


I have sort of a mental blockage in which direction to go. Surfed through the web and came to no satisfying conclusion.
Unfortunately there is no default Joomla implemenation for that.
Thanks for any thoughts and help.


Last edited by BruceLee on Wed Nov 09, 2011 1:14 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Joomla Security question regarding images
Unread postPosted: Wed Nov 09, 2011 1:13 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3661
Location: Chantilly, VA
htaccess will be more secure, a referrer header is easy to forge so thats not going to stop anyone determined.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Joomla Security question regarding images
Unread postPosted: Wed Nov 09, 2011 1:41 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
Thanks Mike,

going the htaccess approach like this doesn't work!

Code:
<Files *.*>   
order deny, allow
deny from all
allow from localhost
</Files>   


In this case the images get blocked totally.
Any idea how to avoid that?
Thanks a lot


Top
 Profile  
 
 Post subject: Re: Joomla Security question regarding images
Unread postPosted: Wed Nov 09, 2011 1:52 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2095
try using the IP of the first or last ethX on the machine. It will be apache (or the php user if not) that is accessing the directory, so if it doesn't talk to the outside world as localhost then maybe it will be an IP on the machine?

I've not used this method myself so I'm only guessing.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: Joomla Security question regarding images
Unread postPosted: Wed Nov 09, 2011 2:12 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
Thanks, tried that too. Unfortunately with no success.


Top
 Profile  
 
 Post subject: Re: Joomla Security question regarding images
Unread postPosted: Wed Nov 09, 2011 2:32 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2095
Is the syntax correct? i.e. is it like iptables, where the first match wins? So should it be "allow from" before the "deny from"?

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: Joomla Security question regarding images
Unread postPosted: Wed Nov 09, 2011 2:43 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
thanks. Yes the syntax is correct due to the order I set. The logfile shows me that the client IP is blocked.
It seems like the loading is done by the client all the time and therfore this solution doesn't work in my case :(


Top
 Profile  
 
 Post subject: Re: Joomla Security question regarding images
Unread postPosted: Wed Nov 09, 2011 2:47 pm 
Offline
Forum User
Forum User

Joined: Tue Apr 20, 2010 2:49 am
Posts: 75
Its not localhost/Apache that accesses the image, its the end user and their IP, so rules like that in the .htaccess aren't going to work.

One way (the only way I know) is to create a PHP wrapper round all your images (I guess you could use a rewrite rule for that) that does the necessary checks (hopefully just "is logged in") and then provides the image (ie it picks the image file off of the server and presents through the PHP script) so in that the interaction with the image is via the PHP script, not via the end user. Then you can block access to the images using the .htaccess rules above.

Paul


Top
 Profile  
 
 Post subject: Re: Joomla Security question regarding images
Unread postPosted: Wed Nov 09, 2011 2:56 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
Thanks.
Yes and No. It depends if the Joomla Framework loads stuff or not. Anyway. Making a wrapper like you mentioned would need an integration in Joomla and then I wouldn't need to work with htaccess anymore. Rewrites like that would be a workaround but not the best choice I think. It's too cascading.
I gues I will have to dig deeper and see if I can achieve it differently.
Thanks a lot for your help.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group