An enterprising student at our college created a simple HTML page with the following lines - one for each student (2000 odd in total), with the id incremented in each case.
<img src="https://ourdomain.ac.uk/user/pix.php/3/f1.jpg">
<img src="https://ourdomain.ac.uk/user/pix.php/4/f1.jpg">
...
This displayed all the user photographs from the system on one page and quickly got passed around the college. This resulted in a high usage of our server as each picture is displayed after executing the pix.php script! 2,000 pictures, 2,000 students....
The reason this works is because pix.php has not got any require_login statement. Below is our method of defeating this. It also stops browsing of directories on an apache server and hotlinking to other peoples uploaded assignments.
However, has anyone else come across this or a similar problem and how did you overcome it?
In apache httpd.conf enable mod_rewrite module and set AllowOveride to All for the web root.
In a .htaccess file in your web root put the following (ensure lines do not wrap else it wont work):
#Stop directory browsing
IndexIgnore *
#Needed for mod_rewrite
Options +FollowSymLinks
#mod_rewrite rules
ReWriteEngine On
RewriteCond %{HTTP_REFERER} ^$
RewriteRule \.(jpe?g|gif|bmp|png|doc|dot|ppt|pub|pdf|mdb|xls|rtf)$ - [F]
RewriteCond %{HTTP_REFERER} ^$
RewriteRule ^(file|pix)\.php - [F]
RewriteCond %{HTTP_REFERER} !^https://server\.domain
RewriteCond %{HTTP_REFERER} !^http://server\.domain
RewriteRule \.(jpe?g|gif|bmp|png|doc|dot|ppt|pub|pdf|mdb|xls|rtf)$ - [F]
RewriteCond %{HTTP_REFERER} !^https://server\.domain
RewriteCond %{HTTP_REFERER} !^http://server\.domain
RewriteRule ^(file|pix)\.php - [F]
Dave