Page 1 of 1

Joomla Security question regarding images

Posted: Wed Nov 09, 2011 12:58 pm
by BruceLee
Hi,

I'm facing a "task" regarding file security in Joomla CMS.
Basically it's a general security question.

I have content/articles that are only available for registered users. After login they can view them.
In those articles are images. But those images can be opened directly by entering the URL like: http://www.my_domain.com/imahes/myfolder/image.jpg
In this case those images are the most important part and they should not be accessable for pulbic.

How do you achieve this task?
By the hotlinking-htaccess-rewrite method like this? Is this safe enough?

Code: Select all

 RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$ 
RewriteCond %{HTTP_REFERER} !^http://my_domain/.*$ [NC] [OR]
RewriteCond %{HTTP_REFERER} !^http://www.my_domain/.*$ [NC] [OR]
RewriteRule .*\.(gif|GIF|jpg|JPG|bmp|BMP|wav)$ - [F] 
Or by putting an htaccess into the images folder like this?

Code: Select all

order deny, allow
deny from all
allow from localhost
I have sort of a mental blockage in which direction to go. Surfed through the web and came to no satisfying conclusion.
Unfortunately there is no default Joomla implemenation for that.
Thanks for any thoughts and help.

Re: Joomla Security question regarding images

Posted: Wed Nov 09, 2011 1:13 pm
by mikeshinn
htaccess will be more secure, a referrer header is easy to forge so thats not going to stop anyone determined.

Re: Joomla Security question regarding images

Posted: Wed Nov 09, 2011 1:41 pm
by BruceLee
Thanks Mike,

going the htaccess approach like this doesn't work!

Code: Select all

<Files *.*>   
order deny, allow
deny from all
allow from localhost
</Files>   
In this case the images get blocked totally.
Any idea how to avoid that?
Thanks a lot

Re: Joomla Security question regarding images

Posted: Wed Nov 09, 2011 1:52 pm
by faris
try using the IP of the first or last ethX on the machine. It will be apache (or the php user if not) that is accessing the directory, so if it doesn't talk to the outside world as localhost then maybe it will be an IP on the machine?

I've not used this method myself so I'm only guessing.

Re: Joomla Security question regarding images

Posted: Wed Nov 09, 2011 2:12 pm
by BruceLee
Thanks, tried that too. Unfortunately with no success.

Re: Joomla Security question regarding images

Posted: Wed Nov 09, 2011 2:32 pm
by faris
Is the syntax correct? i.e. is it like iptables, where the first match wins? So should it be "allow from" before the "deny from"?

Re: Joomla Security question regarding images

Posted: Wed Nov 09, 2011 2:43 pm
by BruceLee
thanks. Yes the syntax is correct due to the order I set. The logfile shows me that the client IP is blocked.
It seems like the loading is done by the client all the time and therfore this solution doesn't work in my case :(

Re: Joomla Security question regarding images

Posted: Wed Nov 09, 2011 2:47 pm
by paulie
Its not localhost/Apache that accesses the image, its the end user and their IP, so rules like that in the .htaccess aren't going to work.

One way (the only way I know) is to create a PHP wrapper round all your images (I guess you could use a rewrite rule for that) that does the necessary checks (hopefully just "is logged in") and then provides the image (ie it picks the image file off of the server and presents through the PHP script) so in that the interaction with the image is via the PHP script, not via the end user. Then you can block access to the images using the .htaccess rules above.

Paul

Re: Joomla Security question regarding images

Posted: Wed Nov 09, 2011 2:56 pm
by BruceLee
Thanks.
Yes and No. It depends if the Joomla Framework loads stuff or not. Anyway. Making a wrapper like you mentioned would need an integration in Joomla and then I wouldn't need to work with htaccess anymore. Rewrites like that would be a workaround but not the best choice I think. It's too cascading.
I gues I will have to dig deeper and see if I can achieve it differently.
Thanks a lot for your help.