X3Photo Gallery Forums

IMAGEVUE X2 SECURITY CHECKLIST :: HOW TO IMPROVE YOUR GALLERY'S SECURITY!

I created this topic as I was getting frustrated that nothing was being done to make people aware of how insecure ImageVue is by default, and that it is **incredibly** important to take just a few simple steps (less than 5 minutes out of your day) to ensure your installation is secure!

To prevent your gallery from being accessed by unauthorised visitors please follow these simple steps to protect your privacy, email addresses, and hard work from being deleted!

#1. Change the default Administrator user name and password!
- Click "Users" from top menu (Path: /index.php?c=user).
- Edit the admin account.
- Modify the admin user name to anything other than 'admin' e.g. FredSmith.
- Modify the admin password to anything other than 'admin' e.g. IMAGEVUE1234 (uppercase, lowercase, numeric).

#2. Change the default content directory!
- Via FTP, rename the /content/ directory to an alpha-numeric name (e.g. media2013/).
- Click on "Settings" from the top menu (Path: /index.php?c=config#settings).
- Within Imagevue Settings, update the content folder value (default: "content/") to "media2013/".
- Click save and clear your cache.

#3. Change the default Administrator /iv-admin/ directory!
- Click on "Settings" from the top menu (Path: /index.php?c=config#settings).
- Update the current path from "iv-admin/" to your new alpha-numeric directory name (e.g. "secureAdmin9/").
- Via FTP, rename the /iv-admin/ directory to your alpha-numeric directory name (e.g. secureAdmin9/).

#4. Prevent access to your XML configuration files!
- Try navigating to your config file to see what is visible to the world: "http://Your-Gallery-URL.com/iv-config/config.xml".
- Within the root of your ImageVue installation, create a new blank file.
- Name the file "/htaccess.txt".
- Edit the file and paste the following code in: - Save and close the file.
- Rename "/htaccess.txt" to "/.htaccess" in the root of your ImageVue gallery installation.
- Try navigating to "http://Your-Gallery-URL.com/iv-config/config.xml". You should now receive an error instead of the files contents!


I hope you find these tips useful! I am sure I have made a mistake somewhere, so if you notice something, please let me know
If you have any tips of your own, or have improved what I have described above, then please feel free to share it here with clear instructions.

Thank you!
Cheers,

Hello,
Glad you like it. Thank you for showing your appreciation. I typed it up over a few hours one day.

Incredibly important? Well anything is debatable, but if you don't want your entire gallery being maliciously wiped, someone logging in and changing your password, downloading your paid content (ecommerce plugin) etc, it is recommended to complete all steps.

Unauthorised visitors - these are visitors trying to do the wrong thing, either trying to gain, or gaining, access to the back-end features or interface they are not permitted (or authorised) to access...


#1. DEFAULT ADMIN USER NAME AND PASSWORD
- Prevents anyone accessing things they shouldn't as the path is changed, making it harder to find known vulnerabilities (whether older versions or current), backdoors, files that do not perform auth checks, file uploaders, foreign file uploads, etc.
- Known admin path's can be brute forced. You have no ban script in ImageVue to block IP's after X attempts!
- People with ESL (English as Second Language) will not always pay attention to things if they can use the application as normal. If you instead BLOCKED people from changing pages if password = "admin", then that would be a better measure! (recommended!). Therefore, they cannot use any function of the site until value updated.
- If the administrator user name is changed, but the password remains as "admin", it is EXACTLY the same difficulty level to guess the password with "admin" as the user name, as having "admin" as the password but an unknown user name. Combining a non-standard user name and password means you are 10 times more unlikely to have the two "brute forced".

#2. DEFAULT CONTENT DIRECTORY
If your members are selling graphics, which is their decision, not yours, then they MUST change this path! To prevent people browsing through their photos, music, videos - both hidden and visible, means obscuring the path as much as possible. IF... read it... IF ImageVue used Cache, then you MUST change the cache path too - far too many sites get compromised due to people finding temp cookies, and other session files in here. Exactly why many sites cater for these paths being changed. So changing the /content/ path is very important!

#3. DEFAULT ADMINISTRATOR DIRECTORY
- Passwords can be brute forced and should not be treated as a "be all and end all". This is **exactly** why you should change your administrator directory.
- Plus when plug-ins and 3rd party files are added to installations, you cannot always guarantee they have the same security precautions as other files. So preventing access is the obvious first step!
- It is absolutely necessary as ImageVue has no IP restrictions - such as banning or thresholds to be able to block IP's after X failed log-ins for X minutes.

#4. XML FILE AND OTHER FILE OR DIRECTORY ACCESS
- Email addresses are worth money these days. A lot of money. I just need to search for a common ImageVue phrase in Google to find THOUSANDS of other installations! (META key words, descriptions, copyright, interface language, etc, etc). I can easily obtain their email addresses without any knowledge at all! I am sorry but this is not satisfactory at all.
- No one should be able to access these files or traverse the directories, so why would they have access?
- In fact, NO ONE should have access to ANY FILES, other than what they require 'direct' access to, such as JPG, PNG, GIF, TIFF graphics files, plus PDF, DOC, TXT, XLS documents, and all other files in the /content/ directory (other than XML).
- On other sites, I block direct access to ALL Files except: htm, html, css, js and php (.htaccess files and any media obviously).


I am sorry but there is no "perhaps" about it. Of course they should be encoded/encrypted (even hashed) if they are publicly visible!

I understand you may not wish to admit that any of the above points are necessary - whether to avoid liability, save face on the forums or your general choice; and it is not my intention to humiliate, defame, or otherwise "put down" you or ImageVue. But I have seen numerous occasions where you have made an effort to tell me and other people things are "not a big deal" or are of "little or no concern" within the forums.

People's privacy and security are big deals and should be taken very seriously. Any developer's personal opinions are negligible and "just" their opinions, and do not form part of the "best-practices" for any premium paid web-based applications.

Please don't take offence at anything I say - I am simply talking from a developer point of view and not attacking you or your product in any way

Thank you for the feedback and gratitude. I am always happy to help the community.
- Bulletproof I.T.


EDIT:
Check out Google - https://www.google.com/search?q=imagevu ... 0&ie=UTF-8 with Search Term "imagevue, flash, photo, image, gallery". 900,000+ results!