PhpThumb: configuration and security mode

More
9 years 2 months ago #61015 by fortino
PhpThumb: configuration and security mode was created by fortino
Hello,

I have a couple of questions about phpThumb:
- for a production site does it require a specific configuration or the default one is safe enough?
- I'm trying to enable the "high_security" mode but I stll have problems with the hash [it says it's missing]. I wonder that's because both the flexicontent component and modules are not calling the function in the proper way to use the "high security" mode.

Do you have any infos about these "issues"?

thank you so much
sg

Please Log in or Create an account to join the conversation.

More
9 years 2 months ago #61018 by ggppdk
Replied by ggppdk on topic PhpThumb: configuration and security mode
Hello

phpThumb version included with FLEXIcontent does not have any known security issue that would allow an attaker to modify or write PHP files, or otherwise hack a websote
- it will only read and thumbnail images
- also by default configuration , it will not thumbail images ABOVE document ROOT thus your website statistics images, and image of other websites, are safe from being stolen

but some can use phpThumb to steal copyrighted images
- that if the images are inside a folder that is NOT protected via .htaccess

so e.g. if you disable htacess protection for images uploaded via image field in folder mode then
even if you have watermark in your thumbnails, someone can use phpThumb thumbnail and download the image without the watermark

-- Flexicontent is Free but involves a big effort on our part.
Like the our support? (for a bug-free FC, despite having a long list of functions) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing with a 5-star...

Please Log in or Create an account to join the conversation.

More
9 years 2 months ago #61020 by fortino
Replied by fortino on topic PhpThumb: configuration and security mode
ok, great.

thank you so much

Please Log in or Create an account to join the conversation.

More
9 years 2 months ago #61021 by ggppdk
Replied by ggppdk on topic PhpThumb: configuration and security mode
Hello

also about high security mode to make security more tight,
we will make use of it in future
- if a PHPThumb vulnerability is discovered in the future, or some other server related vulnerability is discovered,
then it will not be possible to be used if the web-site is using "high security mode"

- this is newer feature of PHPThumb

it makes impossible to use URLs that are not created by a specific function,
- aka you cannot just type urls in the browser

but this will break any older custom using such URLs
- the idea is to make a component parameter for it

-- Flexicontent is Free but involves a big effort on our part.
Like the our support? (for a bug-free FC, despite having a long list of functions) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing with a 5-star...

Please Log in or Create an account to join the conversation.

More
9 years 2 months ago #61022 by ggppdk
Replied by ggppdk on topic PhpThumb: configuration and security mode
And also update our templates and enable it by default for new web-sites

-- Flexicontent is Free but involves a big effort on our part.
Like the our support? (for a bug-free FC, despite having a long list of functions) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing with a 5-star...

Please Log in or Create an account to join the conversation.

More
9 years 2 months ago #61024 by ggppdk
Replied by ggppdk on topic PhpThumb: configuration and security mode
Hello

so will make a parameter for it,
i have opened a new issue for it: (3.0.15 / 3.0.16)
github.com/FLEXIcontent/flexicontent-cck/issues/508

-- Flexicontent is Free but involves a big effort on our part.
Like the our support? (for a bug-free FC, despite having a long list of functions) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing with a 5-star...

Please Log in or Create an account to join the conversation.

Moderators: vistamediajoomlacornerggppdk
Time to create page: 0.325 seconds

Last FLEXI-site

Last Faq articles

Newsletter

Last Tutos about FLEXIcontent

Login

Cookies user preferences
We use cookies to ensure you to get the best experience on our website. If you decline the use of cookies, this website may not function as expected.
Accept all
Decline all
Essential
These cookies are needed to make the website work correctly. You can not disable them.
Display
Accept
Analytics
Tools used to analyze the data to measure the effectiveness of a website and to understand how it works.
Google Analytics
Accept
Decline
Save