X3Photo Gallery Forums

Hello all


also in better German, look inside the German folder

the new version of imagevuex X2 Gallery has a really big security problem.

It is possible to look at the content equal the folder is password protected or a hidden folder!

how?

the folder "content" has two importent files: folders.xml and folderdata.xml.

is the webserver not enough protectet so you can see in this files.
As sample, we take the demo from this site: https://www.photo.gallery/demo/x2/content/folders.xml

there are some interesting things inside the file
-path we take this: "content/Various Examples/password/"
-description: here is writen that only peoples who know the pw can read the content, of course
-hidden="true" : maybe also interesting...

then wie go to the link https://www.photo.gallery/demo/x2/content/co ... /password/
when the webserver denied the access to list files, then is the webserver a little secure... but this is not the problem, then wie take the file folderdata.xml

in our sample is that this link: https://www.photo.gallery/demo/x2/content/Va ... erdata.xml

now we can see all files they are in this folder, the first file in this xml is this picture: 4b3346d7d-cc85-4d88-ad0c-89abc3326022.jpg, also denn
we can open this file with this link: https://www.photo.gallery/demo/x2/content/Va ... 326022.jpg

And we see the picture without any passwords...

to protect this security problem is very easy, copy the content to the root of your webserver in the file ".htaccess" --> for apache webserver!

From now can nobody anywhere look inside in your xml files, your webserver is now safe

is this article helpfully for you?
i would be glad about a donation.
Paypal 5.- Swiss franc