Protecting Image Paths

Discussion regarding Joomla! 3.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
ralphlorem
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Tue Mar 05, 2024 7:04 pm

Protecting Image Paths

Post by ralphlorem » Thu May 23, 2024 6:10 pm

Hello everyone,

Today I noticed something regarding image paths on Joomla 3. Let's say, as an example, you have an article with the access level of "Registered" or something of that nature. If the article has an image included within it, which has the file name /images/2024/image.jpeg, this image is still accessible if you enter the full path and do not have the appropriate access levels (https://website.com/images/2024/image.jpeg).

I understand this may potentially go beyond the scope of Joomla Security, however, it worries me that by chance someone can simply brute-force-guess the path of the image and view it.

I've tested this with article images protected by permission levels, and entering the path into a fresh incognito window.

Does anyone have any ideas or solutions to this, or would the best option be something more simple, such as creating a harder-to-guess image path?

Any thoughts appreciated!

Thanks, Ralph.

SharkyKZ
Joomla! Hero
Joomla! Hero
Posts: 2990
Joined: Fri Jul 05, 2013 10:35 am
Location: Parts Unknown

Re: Protecting Image Paths

Post by SharkyKZ » Tue May 28, 2024 5:41 am

There is no relation between images and articles/permissions when you serve them using direct links. In order to check permissions, you'd have to serve images through PHP. Like it's done on this forum, for example.

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12809
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Protecting Image Paths

Post by brian » Wed May 29, 2024 3:02 pm

With the correct htaccess rule you can prevent direct access to static files such as images
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 31087
Joined: Mon Oct 27, 2008 9:27 pm
Location: Romerike, Norway

Re: Protecting Image Paths

Post by Per Yngve Berg » Wed May 29, 2024 3:20 pm

Search for "Prevent Hot Linking" for examples of rules you can put in the
.htaccess file.


Post Reply

Return to “Security in Joomla! 3.x”