Security - Disable user registration, and

Hey, I like the phpAlbum, but there are a few security concerns I have. Let me know if you guys want any help.

1) There is no way to disable user registration without modifying code. I don't mind changing the code but it is a pain then to accept updates because I have to take time to change code all over again to implement "my security." Users can still register (by sending a POST to the server) even after you comment out the form options. I actually modified the setup.php so that no one can register.

2) I'm not keen on cookies for login authentication. I added a short session auth. I have pasted the diff below between your main.php and mine after this session change.

3) I actually place videos inside phpAlbum then use a flvplayer that points to those videos and streams them in a pop up window. This is better than having to download the video in my opinion. While doing this I noticed that you could direct link to videos (where as pictures you will get a nice "You are not allowed to view this page." However, I was able to change the themes which fixed this security issue.

4) The code needs more OO and modularity. This is a pretty generic statement. Let me give an example of an improvement that I think would prevent some of these security issues from even happening. Cleaner code means less bugs and less security issues. I'm sure you don't have time to do a complete rehaul of main.php and there is so much going on there that anytime you change 1 single line you risk breaking a lot. However, I think the product would benefit greatly from breaking the code appart into sections. For example, plug-in support is much easier when you use an OO design.

5) Don't use a custom database connector. Some good part of your code relies on this customized database you've created. I won't say that it is unsecure but it's generally not a good idea to re-invent the wheel when there are an abundance of database programs out there, free, open source, and much much better than any database either of us could conjure up in php. To sum it up, reading and writing array structures in files might make someone say, "cool.. that is neat" (and it is) but it just isn't going to be as good a community open source relational database. Of course, I'm guessing you didn't want users to have to install a database (you want phpAlbum to be standalone) but a neat addition would be to add mysql/postgresql/hypersonic/whatever support. I think that would enhance security in a small way as well. This wouldn't be too hard to do if the code was geared towards OO design and had plug-in approach.

Thanks for reading my security suggestions. And once again, let me know any questions if I'm not making sense. Keep up the good work.

- Kelt

**** #2 diff paste for you ****
root@haruko software $ diff main.php Copy\ of\ main.php
20d19
< session_start();
2430,2443d2428
< if ($_SESSION['logged_in'] == false && $cmd != "album" && $cmd != "logo" && $cmd != "theme" && $cmd != "setup" )
< {
< print "You are not allowed to view this page without logging in first!";
< exit;
< }
<
< # if user is still logged in but session expires then log them out!
< if ($_SESSION['logged_in'] == false)
< {
< setcookie("userid","",time()-60*60*24*365);
< setcookie("userpassword","",time()-60*60*24*365);
< }
<
<
2491d2475
< $_SESSION['logged_in'] = false;
2508d2491
< $_SESSION['logged_in'] = true;

Registration

HI there I am relatively new to PHP and web development, I was wondering if you could please share how you disabled the user Registration. Much thanks.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


style="display:inline-block;width:468px;height:60px"
data-ad-client="ca-pub-8698264690166658"
data-ad-slot="4417389723">