NYCPHP Meetup

NYPHP.org

[nycphp-talk] secure photo gallery web application

max goldberg max.goldberg at gmail.com
Mon Jun 28 13:56:47 EDT 2004


I host a lot of people who use gallery, and it seems like every other
month there is a new security patch. I am not sure if there has ever
been a stable version without some sort of gaping exploit. They may
just do this so people will check the website every couple of weeks.

It wouldn't be such a big deal if I didn't have to manually upgrade 8
gallery installations by hand, but it is definitely a pain. I would
only suggest using gallery if you are going to be actively using and
adding new pictures to it.

I wrote something similar to what you are describing a few years ago
for an album of WTC pictures that gets hit heavily, and it's
definitely stood the tests of time. One of the problems ("nice
features") with gallery is that it doesn't use a database. It uses a
plethora of flat files filled with huge serialized arrays. When you
get an extreme amount of traffic on a gallery installation, it can
very easily bring a server to it's knees. So depending on how you plan
on using it, it may be worth it to write a quick script to do what you
want.

Otherwise there are plenty of free applications for both windows and
unix that will take a set of pictures and plop out a static html
"album".

Also just looked at the gallery website, another security issue posted
yesterday.
hoorah!

-Max

On Mon, 28 Jun 2004 11:52:14 -0400, Mitch Pirtle
<mitchy at spacemonkeylabs.com> wrote:
> 
> Jayesh Sheth wrote:
> 
> > Hello all,
> >
> > I would like to post some pictures (from the recent Mermaid Parade in
> > Coney Island) to my website. I have considered using Gallery for its
> > ease of use, but I have some reservations: I have noticed some
> > automated bots scanning my sites in attempt to break into them using
> > known exploits in commonly used pieces of open source software such as
> > PHP-Nuke and Gallery.
> 
> 
> Sad I missed the parade :(  Living a 10-minute drive away makes it even
> more disappointing that I managed to miss it!)
> 
> I'm in the process of setting up a gallery using the RSGallery module
> for Mambo Open Source (www.mamboserver.com).  There are a couple very
> active security researchers that are working with the Mambo crew over at
> Mosforge.net, and I can say that the security of Mambo is really getting
> solid.
> 
> I believe all of the gallery scripts start out with humble ambitions,
> and as more folks use it, more features are requested.  I guess that's
> just the nature of software development in the OSS world ;)
> 
> And you are absolutely right about the automated scanners - we have a
> group in Brazil that have specialized in writing scanners for older
> versions of Mambo, and thankfully the Mambopots Project (distributed
> Mambo honeypots) is providing some pretty shocking data.  :(
> 
> -- Mitch
> 
> 
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>



More information about the talk mailing list