Stopping Hotlinking of Images

Stopping Hotlinking of Images

Dave Richford發表於
Number of replies: 8

An enterprising student at our college created a simple HTML page with the following lines - one for each student (2000 odd in total), with the id incremented in each case.

<img src="https://ourdomain.ac.uk/user/pix.php/3/f1.jpg">
<img src="https://ourdomain.ac.uk/user/pix.php/4/f1.jpg">
...

This displayed all the user photographs from the system on one page and quickly got passed around the college. This resulted in a high usage of our server as each picture is displayed after executing the pix.php script! 2,000 pictures, 2,000 students....

The reason this works is because pix.php has not got any require_login statement. Below is our method of defeating this. It also stops browsing of directories on an apache server and hotlinking to other peoples uploaded assignments.

However, has anyone else come across this or a similar problem and how did you overcome it?

 

In apache httpd.conf enable mod_rewrite module and set AllowOveride to All for the web root.

In a .htaccess file in your web root put the following (ensure lines do not wrap else it wont work):

#Stop directory browsing
IndexIgnore *

#Needed for mod_rewrite
Options +FollowSymLinks

#mod_rewrite rules
ReWriteEngine On
RewriteCond %{HTTP_REFERER} ^$
RewriteRule \.(jpe?g|gif|bmp|png|doc|dot|ppt|pub|pdf|mdb|xls|rtf)$ - [F]

RewriteCond %{HTTP_REFERER} ^$
RewriteRule ^(file|pix)\.php - [F]

RewriteCond %{HTTP_REFERER} !^https://server\.domain
RewriteCond %{HTTP_REFERER} !^http://server\.domain
RewriteRule \.(jpe?g|gif|bmp|png|doc|dot|ppt|pub|pdf|mdb|xls|rtf)$ - [F]

RewriteCond %{HTTP_REFERER} !^https://server\.domain
RewriteCond %{HTTP_REFERER} !^http://server\.domain
RewriteRule ^(file|pix)\.php - [F]

Dave

評比平均分數: -
In reply to Dave Richford

Re: Stopping Hotlinking of Images

W Page發表於
How did this young person have the time to do this??

WP1
評比平均分數: -
In reply to W Page

Re: Stopping Hotlinking of Images

Timothy Takemoto發表於
Thanks for pointing this out Dave Richford,

With the high priority placed on protecting personal information where I am, I think that it would be nice from my point of view to consider this a security hole. Perhaps the .htaccess above might be included in the relevant folder?

Relatedly, I just found out about the page
moodle/userpix/ 
A sort of easter egg?

Timothy
評比平均分數: -
In reply to Timothy Takemoto

Re: Stopping Hotlinking of Images

koen roggemans發表於
Core developers的相片 Documentation writers的相片 Moodle HQ的相片 Particularly helpful Moodlers的相片 Plugin developers的相片 Translators的相片
It's for admin accessible only - it gives you the chance to have an overview what avatars are used on your site - somethimes too "revealing"
評比平均分數: -
In reply to W Page

Re: Stopping Hotlinking of Images

Dan McMahon發表於

W Page wrote: How did this young person have the time to do this??

If s/he was technically-inclined enough to figure out the URLs for each pic, I imagine he did something like this:

for count=1 to number_of_users {

    print_to_file('<img src="https://ourdomain.ac.uk/user/pix.php/' count + '/f1.jpg">')

}

So it probably only took them a few minutes 微笑

評比平均分數: -
In reply to Dave Richford

Re: Stopping Hotlinking of Images

Martin Dougiamas發表於
Core developers的相片 Documentation writers的相片 Moodle HQ的相片 Particularly helpful Moodlers的相片 Plugin developers的相片 Testers的相片
Note that the pictures may be shown but there are no names or other information attached, so it's not really such a security problem.

I have always had this userpics page linked from the moodle.org home page - I think it's fascinating so I'm not surprised that students would too.

The pix.php script deliberately works like it does so that pictures work in emails and so on where you haven't logged in.  I have considered attaching the photos to the emails instead ... this may be something to think about.

Anyway, if it's a problem in your situation then what you've done in Apache is a good solution.
評比平均分數: -
In reply to Martin Dougiamas

Re: Stopping Hotlinking of Images

Haruhiko Okumura發表於

Relying on HTTP_REFERER is a bad idea because it can be easily forged.

The same problem has been recently disclosed of the biggest Japanese social networking site and there's been much discussion regarding inept and irresponsible answer from the site admin. I took this up in the Japanese Moodle course of moodle.org and Prof. Takemoto kindly made a bug report. Petr Škoda told us there that the problem can be easily fixed but will not be fixed. Privacy-conscious admins should consider applying Petr's patch.

評比平均分數: -
In reply to Martin Dougiamas

Re: Stopping Hotlinking of Images

Dr S Bhatia發表於
Note that the pictures may be shown but there are no names or other information attached, so it's not really such a security problem.

Dear Martin

I beg to differ on this statement. Please see the screenshot attached here and in the subsequent post. Names and locations are very much visible, either as tooltip or while the page loads.
附件 userpix2.JPG
評比平均分數: -