Stopping Hotlinking of Images

Stopping Hotlinking of Images

by Dave Richford -
Number of replies: 8

An enterprising student at our college created a simple HTML page with the following lines - one for each student (2000 odd in total), with the id incremented in each case.

<img src="https://ourdomain.ac.uk/user/pix.php/3/f1.jpg">
<img src="https://ourdomain.ac.uk/user/pix.php/4/f1.jpg">
...

This displayed all the user photographs from the system on one page and quickly got passed around the college. This resulted in a high usage of our server as each picture is displayed after executing the pix.php script! 2,000 pictures, 2,000 students....

The reason this works is because pix.php has not got any require_login statement. Below is our method of defeating this. It also stops browsing of directories on an apache server and hotlinking to other peoples uploaded assignments.

However, has anyone else come across this or a similar problem and how did you overcome it?

 

In apache httpd.conf enable mod_rewrite module and set AllowOveride to All for the web root.

In a .htaccess file in your web root put the following (ensure lines do not wrap else it wont work):

#Stop directory browsing
IndexIgnore *

#Needed for mod_rewrite
Options +FollowSymLinks

#mod_rewrite rules
ReWriteEngine On
RewriteCond %{HTTP_REFERER} ^$
RewriteRule \.(jpe?g|gif|bmp|png|doc|dot|ppt|pub|pdf|mdb|xls|rtf)$ - [F]

RewriteCond %{HTTP_REFERER} ^$
RewriteRule ^(file|pix)\.php - [F]

RewriteCond %{HTTP_REFERER} !^https://server\.domain
RewriteCond %{HTTP_REFERER} !^http://server\.domain
RewriteRule \.(jpe?g|gif|bmp|png|doc|dot|ppt|pub|pdf|mdb|xls|rtf)$ - [F]

RewriteCond %{HTTP_REFERER} !^https://server\.domain
RewriteCond %{HTTP_REFERER} !^http://server\.domain
RewriteRule ^(file|pix)\.php - [F]

Dave

Average of ratings: -
In reply to Dave Richford

Re: Stopping Hotlinking of Images

by W Page -
How did this young person have the time to do this??

WP1
Average of ratings: -
In reply to W Page

Re: Stopping Hotlinking of Images

by Timothy Takemoto -
Thanks for pointing this out Dave Richford,

With the high priority placed on protecting personal information where I am, I think that it would be nice from my point of view to consider this a security hole. Perhaps the .htaccess above might be included in the relevant folder?

Relatedly, I just found out about the page
moodle/userpix/ 
A sort of easter egg?

Timothy
Average of ratings: -
In reply to Timothy Takemoto

Re: Stopping Hotlinking of Images

by koen roggemans -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Translators
It's for admin accessible only - it gives you the chance to have an overview what avatars are used on your site - somethimes too "revealing"
Average of ratings: -
In reply to W Page

Re: Stopping Hotlinking of Images

by Dan McMahon -

W Page wrote: How did this young person have the time to do this??

If s/he was technically-inclined enough to figure out the URLs for each pic, I imagine he did something like this:

for count=1 to number_of_users {

    print_to_file('<img src="https://ourdomain.ac.uk/user/pix.php/' count + '/f1.jpg">')

}

So it probably only took them a few minutes smile

Average of ratings: -
In reply to Dave Richford

Re: Stopping Hotlinking of Images

by Martin Dougiamas -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
Note that the pictures may be shown but there are no names or other information attached, so it's not really such a security problem.

I have always had this userpics page linked from the moodle.org home page - I think it's fascinating so I'm not surprised that students would too.

The pix.php script deliberately works like it does so that pictures work in emails and so on where you haven't logged in.  I have considered attaching the photos to the emails instead ... this may be something to think about.

Anyway, if it's a problem in your situation then what you've done in Apache is a good solution.
Average of ratings: -
In reply to Martin Dougiamas

Re: Stopping Hotlinking of Images

by Haruhiko Okumura -

Relying on HTTP_REFERER is a bad idea because it can be easily forged.

The same problem has been recently disclosed of the biggest Japanese social networking site and there's been much discussion regarding inept and irresponsible answer from the site admin. I took this up in the Japanese Moodle course of moodle.org and Prof. Takemoto kindly made a bug report. Petr Škoda told us there that the problem can be easily fixed but will not be fixed. Privacy-conscious admins should consider applying Petr's patch.

Average of ratings: -
In reply to Martin Dougiamas

Re: Stopping Hotlinking of Images

by Dr S Bhatia -
Note that the pictures may be shown but there are no names or other information attached, so it's not really such a security problem.

Dear Martin

I beg to differ on this statement. Please see the screenshot attached here and in the subsequent post. Names and locations are very much visible, either as tooltip or while the page loads.
Attachment userpix2.JPG
Average of ratings: -