Joomla Security question regarding images

Support/Development for PHP
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Joomla Security question regarding images

Unread post by BruceLee »

Hi,

I'm facing a "task" regarding file security in Joomla CMS.
Basically it's a general security question.

I have content/articles that are only available for registered users. After login they can view them.
In those articles are images. But those images can be opened directly by entering the URL like: http://www.my_domain.com/imahes/myfolder/image.jpg
In this case those images are the most important part and they should not be accessable for pulbic.

How do you achieve this task?
By the hotlinking-htaccess-rewrite method like this? Is this safe enough?

Code: Select all

 RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$ 
RewriteCond %{HTTP_REFERER} !^http://my_domain/.*$ [NC] [OR]
RewriteCond %{HTTP_REFERER} !^http://www.my_domain/.*$ [NC] [OR]
RewriteRule .*\.(gif|GIF|jpg|JPG|bmp|BMP|wav)$ - [F] 
Or by putting an htaccess into the images folder like this?

Code: Select all

order deny, allow
deny from all
allow from localhost
I have sort of a mental blockage in which direction to go. Surfed through the web and came to no satisfying conclusion.
Unfortunately there is no default Joomla implemenation for that.
Thanks for any thoughts and help.
Last edited by BruceLee on Wed Nov 09, 2011 1:14 pm, edited 1 time in total.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Joomla Security question regarding images

Unread post by mikeshinn »

htaccess will be more secure, a referrer header is easy to forge so thats not going to stop anyone determined.
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: Joomla Security question regarding images

Unread post by BruceLee »

Thanks Mike,

going the htaccess approach like this doesn't work!

Code: Select all

<Files *.*>   
order deny, allow
deny from all
allow from localhost
</Files>   
In this case the images get blocked totally.
Any idea how to avoid that?
Thanks a lot
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Joomla Security question regarding images

Unread post by faris »

try using the IP of the first or last ethX on the machine. It will be apache (or the php user if not) that is accessing the directory, so if it doesn't talk to the outside world as localhost then maybe it will be an IP on the machine?

I've not used this method myself so I'm only guessing.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: Joomla Security question regarding images

Unread post by BruceLee »

Thanks, tried that too. Unfortunately with no success.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Joomla Security question regarding images

Unread post by faris »

Is the syntax correct? i.e. is it like iptables, where the first match wins? So should it be "allow from" before the "deny from"?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: Joomla Security question regarding images

Unread post by BruceLee »

thanks. Yes the syntax is correct due to the order I set. The logfile shows me that the client IP is blocked.
It seems like the loading is done by the client all the time and therfore this solution doesn't work in my case :(
paulie
Forum User
Forum User
Posts: 76
Joined: Tue Apr 20, 2010 2:49 am

Re: Joomla Security question regarding images

Unread post by paulie »

Its not localhost/Apache that accesses the image, its the end user and their IP, so rules like that in the .htaccess aren't going to work.

One way (the only way I know) is to create a PHP wrapper round all your images (I guess you could use a rewrite rule for that) that does the necessary checks (hopefully just "is logged in") and then provides the image (ie it picks the image file off of the server and presents through the PHP script) so in that the interaction with the image is via the PHP script, not via the end user. Then you can block access to the images using the .htaccess rules above.

Paul
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: Joomla Security question regarding images

Unread post by BruceLee »

Thanks.
Yes and No. It depends if the Joomla Framework loads stuff or not. Anyway. Making a wrapper like you mentioned would need an integration in Joomla and then I wouldn't need to work with htaccess anymore. Rewrites like that would be a workaround but not the best choice I think. It's too cascading.
I gues I will have to dig deeper and see if I can achieve it differently.
Thanks a lot for your help.
Post Reply