Photo Gallery Forums

IMAGEVUE X2 SECURITY CHECKLIST :: HOW TO IMPROVE YOUR GALLERY'S SECURITY!

I created this topic as I was getting frustrated that nothing was being done to make people aware of how insecure ImageVue is by default, and that it is **incredibly** important to take just a few simple steps (less than 5 minutes out of your day) to ensure your installation is secure!

To prevent your gallery from being accessed by unauthorised visitors please follow these simple steps to protect your privacy, email addresses, and hard work from being deleted!

#1. Change the default Administrator user name and password!
- Click "Users" from top menu (Path: /index.php?c=user).
- Edit the admin account.
- Modify the admin user name to anything other than 'admin' e.g. FredSmith.
- Modify the admin password to anything other than 'admin' e.g. IMAGEVUE1234 (uppercase, lowercase, numeric).

#2. Change the default content directory!
- Via FTP, rename the /content/ directory to an alpha-numeric name (e.g. media2013/).
- Click on "Settings" from the top menu (Path: /index.php?c=config#settings).
- Within Imagevue Settings, update the content folder value (default: "content/") to "media2013/".
- Click save and clear your cache.

#3. Change the default Administrator /iv-admin/ directory!
- Click on "Settings" from the top menu (Path: /index.php?c=config#settings).
- Update the current path from "iv-admin/" to your new alpha-numeric directory name (e.g. "secureAdmin9/").
- Via FTP, rename the /iv-admin/ directory to your alpha-numeric directory name (e.g. secureAdmin9/).

#4. Prevent access to your XML configuration files!
- Try navigating to your config file to see what is visible to the world: "http://Your-Gallery-URL.com/iv-config/config.xml".
- Within the root of your ImageVue installation, create a new blank file.
- Name the file "/htaccess.txt".
- Edit the file and paste the following code in: - Save and close the file.
- Rename "/htaccess.txt" to "/.htaccess" in the root of your ImageVue gallery installation.
- Try navigating to "http://Your-Gallery-URL.com/iv-config/config.xml". You should now receive an error instead of the files contents!


I hope you find these tips useful! I am sure I have made a mistake somewhere, so if you notice something, please let me know
If you have any tips of your own, or have improved what I have described above, then please feel free to share it here with clear instructions.

Thank you!
Cheers,

Bulletproof IT wrote:IMAGEVUE X2 SECURITY CHECKLIST :: HOW TO IMPROVE YOUR GALLERY'S SECURITY!

I created this topic as I was getting frustrated that nothing was being done to make people aware of how insecure ImageVue is by default, and that it is **incredibly** important to take just a few simple steps (less than 5 minutes out of your day) to ensure your installation is secure!

To prevent your gallery from being accessed by unauthorised visitors please follow these simple steps to protect your privacy, email addresses, and hard work from being deleted!

Really appreciate your feedback here, and of course there are room for improvements ... I would debate very much the **incredibly** importance of these issues though, as none of them are technically related to real security of the gallery (as long as you set your admin password)! Also, what is meant by "unauthorized visitors"? Everybody can access your gallery as long as its on the web, and nobody can access your admin or hack your website unless they are provided the password.

Bulletproof IT wrote:#1. Change the default Administrator user name and password!
- Click "Users" from top menu (Path: /index.php?c=user).
- Edit the admin account.
- Modify the admin user name to anything other than 'admin' e.g. FredSmith.
- Modify the admin password to anything other than 'admin' e.g. IMAGEVUE1234 (uppercase, lowercase, numeric).

This is obviously incredibly important. We emphasize this in the Imagevue admin by redirecting first login to the "change username and login" page. Imagevue also displays a warning in RED text as long as the default login is not changed.

Bulletproof IT wrote:#2. Change the default content directory!
- Via FTP, rename the /content/ directory to an alpha-numeric name (e.g. media2013/).
- Click on "Settings" from the top menu (Path: /index.php?c=config#settings).
- Within Imagevue Settings, update the content folder value (default: "content/") to "media2013/".
- Click save and clear your cache.

It does obscure your gallery paths, but exactly what do you achieve by this? Maybe some users won't be able to find direct paths to your images perhaps (if they for some reason want to), but if they know what they are doing, they will anyway. It does not provide any "security".

Bulletproof IT wrote:#3. Change the default Administrator /iv-admin/ directory!
- Click on "Settings" from the top menu (Path: /index.php?c=config#settings).
- Update the current path from "iv-admin/" to your new alpha-numeric directory name (e.g. "secureAdmin9/").
- Via FTP, rename the /iv-admin/ directory to your alpha-numeric directory name (e.g. secureAdmin9/).

I would say this is a good idea, although if you set your admin password, nobody would be able to access your admin anyway.

Bulletproof IT wrote:#4. Prevent access to your XML configuration files!
- Try navigating to your config file to see what is visible to the world: "http://Your-Gallery-URL.com/iv-config/config.xml".
- Within the root of your ImageVue installation, create a new blank file.
- Name the file "/htaccess.txt".
- Edit the file and paste the following code in:

Code Select all

## ImageVue HTAccess Security Update By Bulletproof IT.
## Updated: 2013/09/01 | Version v1.0.0
<Files ~ "\.xml$">
  Order allow,deny
  Deny from all
  Satisfy All
</Files>
Options -Indexes

- Save and close the file.
- Rename "/htaccess.txt" to "/.htaccess" in the root of your ImageVue gallery installation.
- Try navigating to "http://Your-Gallery-URL.com/iv-config/config.xml". You should now receive an error instead of the files contents!

A good idea, but has no relation to the general security of the website. All settings are related to what any visitor sees in the frontend ... The emails should perhaps be encoded, but its not like config.xml is available to spambots anyway.

Really appreciate your efforts nevertheless!

Hello,
Glad you like it. Thank you for showing your appreciation. I typed it up over a few hours one day.

Incredibly important? Well anything is debatable, but if you don't want your entire gallery being maliciously wiped, someone logging in and changing your password, downloading your paid content (ecommerce plugin) etc, it is recommended to complete all steps.

Unauthorised visitors - these are visitors trying to do the wrong thing, either trying to gain, or gaining, access to the back-end features or interface they are not permitted (or authorised) to access...


#1. DEFAULT ADMIN USER NAME AND PASSWORD
- Prevents anyone accessing things they shouldn't as the path is changed, making it harder to find known vulnerabilities (whether older versions or current), backdoors, files that do not perform auth checks, file uploaders, foreign file uploads, etc.
- Known admin path's can be brute forced. You have no ban script in ImageVue to block IP's after X attempts!
- People with ESL (English as Second Language) will not always pay attention to things if they can use the application as normal. If you instead BLOCKED people from changing pages if password = "admin", then that would be a better measure! (recommended!). Therefore, they cannot use any function of the site until value updated.
- If the administrator user name is changed, but the password remains as "admin", it is EXACTLY the same difficulty level to guess the password with "admin" as the user name, as having "admin" as the password but an unknown user name. Combining a non-standard user name and password means you are 10 times more unlikely to have the two "brute forced".

#2. DEFAULT CONTENT DIRECTORY
If your members are selling graphics, which is their decision, not yours, then they MUST change this path! To prevent people browsing through their photos, music, videos - both hidden and visible, means obscuring the path as much as possible. IF... read it... IF ImageVue used Cache, then you MUST change the cache path too - far too many sites get compromised due to people finding temp cookies, and other session files in here. Exactly why many sites cater for these paths being changed. So changing the /content/ path is very important!

#3. DEFAULT ADMINISTRATOR DIRECTORY
- Passwords can be brute forced and should not be treated as a "be all and end all". This is **exactly** why you should change your administrator directory.
- Plus when plug-ins and 3rd party files are added to installations, you cannot always guarantee they have the same security precautions as other files. So preventing access is the obvious first step!
- It is absolutely necessary as ImageVue has no IP restrictions - such as banning or thresholds to be able to block IP's after X failed log-ins for X minutes.

#4. XML FILE AND OTHER FILE OR DIRECTORY ACCESS
- Email addresses are worth money these days. A lot of money. I just need to search for a common ImageVue phrase in Google to find THOUSANDS of other installations! (META key words, descriptions, copyright, interface language, etc, etc). I can easily obtain their email addresses without any knowledge at all! I am sorry but this is not satisfactory at all.
- No one should be able to access these files or traverse the directories, so why would they have access?
- In fact, NO ONE should have access to ANY FILES, other than what they require 'direct' access to, such as JPG, PNG, GIF, TIFF graphics files, plus PDF, DOC, TXT, XLS documents, and all other files in the /content/ directory (other than XML).
- On other sites, I block direct access to ALL Files except: htm, html, css, js and php (.htaccess files and any media obviously).


I am sorry but there is no "perhaps" about it. Of course they should be encoded/encrypted (even hashed) if they are publicly visible!

I understand you may not wish to admit that any of the above points are necessary - whether to avoid liability, save face on the forums or your general choice; and it is not my intention to humiliate, defame, or otherwise "put down" you or ImageVue. But I have seen numerous occasions where you have made an effort to tell me and other people things are "not a big deal" or are of "little or no concern" within the forums.

People's privacy and security are big deals and should be taken very seriously. Any developer's personal opinions are negligible and "just" their opinions, and do not form part of the "best-practices" for any premium paid web-based applications.

Please don't take offence at anything I say - I am simply talking from a developer point of view and not attacking you or your product in any way

Thank you for the feedback and gratitude. I am always happy to help the community.
- Bulletproof I.T.


EDIT:
Check out Google - https://www.google.com/search?q=imagevu ... 0&ie=UTF-8 with Search Term "imagevue, flash, photo, image, gallery". 900,000+ results!

appreciate it. thank you.

Bulletproof IT wrote:Incredibly important? Well anything is debatable, but if you don't want your entire gallery being maliciously wiped, someone logging in and changing your password, downloading your paid content (ecommerce plugin) etc, it is recommended to complete all steps.

I will not argue these great features you suggest, and they are definitely worth considering, also for future official releases. My only point being that none of these features except the first (which we also emphasize strongly) has any real effect in stopping a hacker and making the website vulnerable. To be able to hack the admin, and maliciously wipe the website, you will need login access to the admin and none of the other steps would generally prevent that. As for downloading "paid content", that is also easy by using a browsers developer tools to see where files are being loaded from regardless. The only true way to provide security for paid content would be to protect the files themselves, but then of course they would be protected from Imagevue loading them also unless a password combo was integrated.

All in all great tips, and really appreciate your time. As you may be aware, we are working towards some brand new stuff here at Imagevue, and debate about security and privacy is helpful.