Security Proplem in 4images 1.7.1

[naif824]

Mornings Ppl

I'm using 1.7.1

after I logged in with a regular registered user , assume the user : aa

then after I browse the gallery

if I stopped by an Image

and copy the URL in the address bar

then sent it to any body like this :

http://www.kashtah.com/4images/details.php?image_id=623&sessionid=NMPJf2wUjHBvw

he will be able to get him self into my account !!

How could I modify this to restrict that?

I mean to ask for a user & password if there was no cockie ??



best regards

[V@no]

the reason sessionid printed in the url is because no cookies were set previosly...

[naif824]

How could I enable cockies?

[V@no]

cookes are part of web client (browser). If browser or some other software are blocking cookies, there is not much u can do about it from server side...

[naif824]

Well the cockies are enabled on my browser , and I got that link , How could that be understood?

[naif824]

BTW , Have a look @ my Gallery , http://www.kashtah.com/4images


regards

[V@no]

that is problem with your server configuration and cache feature in v1.7.1

Unfortunetly the topic with a fix was lost after the hack...and I dont remmeber what exactly was causing it and how to fix it...
for now, try to disable cache feature.

[naif824]

i dunno how to disable it

[V@no]

read documentation that came with v1.7.1

[naif824]

here we are the doc :

  -- Advanced control of the caching system ----------------

  You can control the caching system in your config.php with
  the following configuration variables:

  - $cache_enable = 1;
      A value of 1 enables the caching system, 0 disables it.
      Default value is 0.

while see my config.php :

Code: [Select]

<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: config.php                                           *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.1                                                *
 *                                                                        *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) fr weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/

$db_servertype = "mysql";
$db_host = "localhost";
$db_name = "XXXXXXXXXXXXXXXX";
$db_user = "XXXXXXXXXXXXXX";
$db_password = "XXXXXXXXXX";

$table_prefix = "4images_";

define("4IMAGES_ACTIVE", 1);

?>


sHALL i ADD IT LIKE THIS :

Code: [Select]

<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: config.php                                           *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.1                                                *
 *                                                                        *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) fr weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/

$db_servertype = "mysql";
$db_host = "localhost";
$db_name = "XXXXXXXXXXXXXXXX";
$db_user = "XXXXXXXXXXXXXX";
$db_password = "XXXXXXXXXX";

$table_prefix = "4images_";

$cache_enable = 0;

define("4IMAGES_ACTIVE", 1);

?>

[Jan]

You should also read through this: http://php.net/session
This issue is a known one and is possible for all sessions based on session ids. You can try to set the configuration options in config.php by the ini_set() function, eg

Code: [Select]

ini_set('session.use_only_cookies', 1);

[naif824]

thx

Great support

adding :

ini_set('session.use_only_cookies', 1);


to config file solved the problem


best regards

[artistichideaway]

Hello,

I have 4images 1.7.1. gallery installed for some time. Everyting runs fine, only problem is, "log me on automatically on next visit" doesn't work for anyone. Deleting temporary interent files and cookies doesn't help.
I even heard from 2 users they can't log on no matter what.

I tried to find some useful advice in previous topics but nothing worked.

I attach PHP session info as I think the problem might be there. Can anyone please have a look and let me know if the settings need to be changed in some way.
Thank you.

otherwise the gallery is at:

www.michaeljacksonart.com
login: test
pass: test

[V@no]

In your case, there are no cookies being set AT ALL when you login with "remmember me" checkbox ticked...
Try use default, not modifyed sessions.php and see if it works...

[artistichideaway]

Thank you for your advice....
I tried but no change  ......I think I had this problem from the very beginning I installed 4images, even without any mods installed.
Do you think, it could help to upgrade to 4images version 1.7.3 ?