How to protect your Images folder?

Discussion in 'ASP General' started by LarryM, Aug 4, 2003.

  1. LarryM

    LarryM Guest

    Hi,

    NB, not to stop capturing the single displayed Image, but to stop downloading
    the entire image directory.
    (In my Website you will do a search, and get some thumbnails, and these can be
    enlarged one by one).

    This topic seems to be frequent.
    Some says that you under no circumstances can protect your images, others seem
    to have preventing solutions.
    Some says that everything uploaded to your web server can be taken down, others
    manage to hide files.

    As far as I understand so far I have an idea that the following might work.
    Please guide me!

    My Web provider has given me a space which has a Root folder, and below it is
    the WebSiteRoot, which contains my website. The Root folder should not be
    available for Web users. There I for instance put my Access DB (accessed through
    ODBC). I have FTP access to this space.

    So, I would like to put my Image folder in the Root folder, and have my Provider
    make it a Virtual Directory in IIS, with an Alias name, and with No Browse
    permissons (I hope that does not stop me from seeing it in my FTP program...),
    but Write permisson (for me to upload to it), Read permisson (for the Web to get
    the images), and with Anonymous Access set off.

    Then I can refer to this Virtual Directory from inside my Website, using the
    Alias name.
    And in IMG SRC you may see the (alias) URL to this Virtual Directory, but an
    outside user should not be able to access it.

    Could this stop a user from downloading any images from my Image-folder?
    Even if they are using some sort of ripoff utility?

    (Or should I have to take a step further and ADO stream the image to the
    htm-page through an ASP page in order to hide the URL completely?)

    (And also, IF the ASP pages are invisible to the browser - could I hide my
    images by renaming my .jpg-files to .asp-files? - I mean, the browser gladly
    displays the image even if it is called .asp).

    Thanks
    Larry
     
    LarryM, Aug 4, 2003
    #1
    1. Advertising

  2. LarryM

    Evertjan. Guest

    LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:
    > NB, not to stop capturing the single displayed Image, but to stop
    > downloading the entire image directory.


    you can fool some people all the time
    you can fool all people some time
    but ....

    Anything that is downloadable into the browser can be copied.

    So keeping ALL directories on your asp site non browsable is imperative but
    finally security wise useless. Only image files you do not download and
    give a unguessable name are relatively safe. However, what is the use
    having those on site anyway?


    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Aug 4, 2003
    #2
    1. Advertising

  3. LarryM

    LarryM Guest

    On 04 Aug 2003 17:02:23 GMT, "Evertjan." <> wrote:

    >LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:
    >> NB, not to stop capturing the single displayed Image, but to stop
    >> downloading the entire image directory.

    >


    >
    >Anything that is downloadable into the browser can be copied.
    >

    I don't contradict that..

    Maybe I was unclear.
    The question is if an imagefile displayed in this way is downloadable directly
    from the directory?

    Larry
     
    LarryM, Aug 4, 2003
    #3
  4. LarryM

    Evertjan. Guest

    LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:

    > On 04 Aug 2003 17:02:23 GMT, "Evertjan."
    > <> wrote:
    >
    >>LarryM wrote on 04 aug 2003 in
    >>microsoft.public.inetserver.asp.general:
    >>> NB, not to stop capturing the single displayed Image, but to stop
    >>> downloading the entire image directory.

    >>

    >
    >>
    >>Anything that is downloadable into the browser can be copied.
    >>

    > I don't contradict that..
    >
    > Maybe I was unclear.
    > The question is if an imagefile displayed in this way is downloadable
    > directly from the directory?


    Yes, if you know it's name.

    You could hinder that by using an .asp intermediate file that looks at the
    referrer name, but once displayed in a browser, it has a copy in the
    clients tempfiles.


    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Aug 4, 2003
    #4
  5. LarryM

    LarryM Guest

    On 04 Aug 2003 19:44:59 GMT, "Evertjan." <> wrote:

    >LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:
    >
    >> On 04 Aug 2003 17:02:23 GMT, "Evertjan."
    >> <> wrote:
    >>
    >>>LarryM wrote on 04 aug 2003 in
    >>>microsoft.public.inetserver.asp.general:
    >>>> NB, not to stop capturing the single displayed Image, but to stop
    >>>> downloading the entire image directory.
    >>>

    >>
    >>>
    >>>Anything that is downloadable into the browser can be copied.
    >>>

    >> I don't contradict that..
    >>
    >> Maybe I was unclear.
    >> The question is if an imagefile displayed in this way is downloadable
    >> directly from the directory?

    >
    >Yes, if you know it's name.

    Is then also ANY virtual directory (outside the default website) or ANY
    directory on the Server Computer open for any user as long as you know or can
    guess it's name (and put in an URL)?
    Is it just a matter of guessing any directory and filename on a server, and then
    you can download it??

    >You could hinder that by using an .asp intermediate file that looks at the
    >referrer name, but once displayed in a browser, it has a copy in the
    >clients tempfiles.


    I say it again: This is not about stopping the image once it has been displayed
    in the browser, not much you can do about that!
    It is about stoppping bulk download of the entire image directory!

    So you mean that I have no other option then to go the step which I also
    mentioned: ADO stream the imagefile through an asp-file?

    /Larry
     
    LarryM, Aug 4, 2003
    #5
  6. LarryM

    Evertjan. Guest

    LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:
    >>Yes, if you know it's name.

    > Is then also ANY virtual directory (outside the default website) or
    > ANY directory on the Server Computer open for any user as long as you
    > know or can guess it's name (and put in an URL)?
    > Is it just a matter of guessing any directory and filename on a
    > server, and then you can download it??
    >
    >>You could hinder that by using an .asp intermediate file that looks at
    >>the referrer name, but once displayed in a browser, it has a copy in
    >>the clients tempfiles.

    >
    > I say it again: This is not about stopping the image once it has been
    > displayed in the browser, not much you can do about that!
    > It is about stoppping bulk download of the entire image directory!
    >
    > So you mean that I have no other option then to go the step which I
    > also mentioned: ADO stream the imagefile through an asp-file?


    Well, in my rented virtual machine, the cgi-bin is not accessable for
    nonexecutables from outer space. so a directory /cgi-bin/images/ is only
    accessable though ADO or scripting-host. The same is true for any normal
    webside directory, where you can keep the name of secret, as long as you
    have http-directory browsing off.

    So /images/secretpathqwerty6284675/myimg.jpg is secret as long as you do
    not point to it in any clientside script, but use myimg.asp to fetch it.

    In myimg.asp I would put something like this:

    <%
    If request.servervariables("http_referrer")
    <>"http://mysite.org/index.asp" Then response.end

    Set fs = server.CreateObject ("Scripting.Filesystemobject")
    Set pt = Server.MapPath("/images/secretpathqwerty6284675/")
    etc.
    %>


    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Aug 4, 2003
    #6
  7. LarryM

    LarryM Guest

    On 04 Aug 2003 22:15:51 GMT, "Evertjan." <> wrote:

    >LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:
    >>>Yes, if you know it's name.

    >> Is then also ANY virtual directory (outside the default website) or
    >> ANY directory on the Server Computer open for any user as long as you
    >> know or can guess it's name (and put in an URL)?
    >> Is it just a matter of guessing any directory and filename on a
    >> server, and then you can download it??
    >>
    >>>You could hinder that by using an .asp intermediate file that looks at
    >>>the referrer name, but once displayed in a browser, it has a copy in
    >>>the clients tempfiles.

    >>
    >> I say it again: This is not about stopping the image once it has been
    >> displayed in the browser, not much you can do about that!
    >> It is about stoppping bulk download of the entire image directory!
    >>
    >> So you mean that I have no other option then to go the step which I
    >> also mentioned: ADO stream the imagefile through an asp-file?

    >
    >Well, in my rented virtual machine, the cgi-bin is not accessable for
    >nonexecutables from outer space. so a directory /cgi-bin/images/ is only
    >accessable though ADO or scripting-host. The same is true for any normal
    >webside directory, where you can keep the name of secret, as long as you
    >have http-directory browsing off.
    >
    >So /images/secretpathqwerty6284675/myimg.jpg is secret as long as you do
    >not point to it in any clientside script, but use myimg.asp to fetch it.
    >
    >In myimg.asp I would put something like this:
    >
    ><%
    >If request.servervariables("http_referrer")
    ><>"http://mysite.org/index.asp" Then response.end
    >
    >Set fs = server.CreateObject ("Scripting.Filesystemobject")
    >Set pt = Server.MapPath("/images/secretpathqwerty6284675/")
    >etc.
    >%>


    Thanks Evertjan!
    Have I got this right:
    If somebody CAN guess that you have a directory
    "/images/secretpathqwerty6284675/", is it then open for access
    for this person, no matter where the directory is situated?
    (I am thinking of outside or inside 'the default webside').
    Is it just a matter of knowing the name of the directory to get access to it?

    I am glad that you can bear with my questions, it seems to take a long time for
    me to understand the systems..
    /Larry
     
    LarryM, Aug 4, 2003
    #7
  8. LarryM

    Mark Schupp Guest

    Larry,

    The only way that images can be downloaded (bulk or otherwise) is if the
    downloader knows the URL to each image. Since you have disabled "browse" in
    IIS for that directory there is no way for a download program to reliably
    determine the URLs unless you have links to them embedded in a page that the
    program could parse to get the paths.

    --
    Mark Schupp
    --
    Head of Development
    Integrity eLearning
    Online Learning Solutions Provider

    http://www.ielearning.com
    714.637.9480 x17


    "LarryM" <> wrote in message
    news:...
    > On 04 Aug 2003 19:44:59 GMT, "Evertjan." <>

    wrote:
    >
    > >LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:
    > >
    > >> On 04 Aug 2003 17:02:23 GMT, "Evertjan."
    > >> <> wrote:
    > >>
    > >>>LarryM wrote on 04 aug 2003 in
    > >>>microsoft.public.inetserver.asp.general:
    > >>>> NB, not to stop capturing the single displayed Image, but to stop
    > >>>> downloading the entire image directory.
    > >>>
    > >>
    > >>>
    > >>>Anything that is downloadable into the browser can be copied.
    > >>>
    > >> I don't contradict that..
    > >>
    > >> Maybe I was unclear.
    > >> The question is if an imagefile displayed in this way is downloadable
    > >> directly from the directory?

    > >
    > >Yes, if you know it's name.

    > Is then also ANY virtual directory (outside the default website) or ANY
    > directory on the Server Computer open for any user as long as you know or

    can
    > guess it's name (and put in an URL)?
    > Is it just a matter of guessing any directory and filename on a server,

    and then
    > you can download it??
    >
    > >You could hinder that by using an .asp intermediate file that looks at

    the
    > >referrer name, but once displayed in a browser, it has a copy in the
    > >clients tempfiles.

    >
    > I say it again: This is not about stopping the image once it has been

    displayed
    > in the browser, not much you can do about that!
    > It is about stoppping bulk download of the entire image directory!
    >
    > So you mean that I have no other option then to go the step which I also
    > mentioned: ADO stream the imagefile through an asp-file?
    >
    > /Larry
     
    Mark Schupp, Aug 5, 2003
    #8
  9. LarryM

    Bullschmidt Guest

    Bullschmidt, Aug 5, 2003
    #9
  10. If image is shown in the browser then client already has a copy of it.
    Therefore, it can save it to a disk file. Disabling directory browsing
    prevents client from easy building the list of images, but such list can be
    built by bulk download utilities. For example, wGrabber.

    Best regards,
    Mikhail.


    "LarryM" <> wrote in message
    news:...
    > Hi,
    >
    > NB, not to stop capturing the single displayed Image, but to stop

    downloading
    > the entire image directory.
    > (In my Website you will do a search, and get some thumbnails, and these

    can be
    > enlarged one by one).
    >
    > This topic seems to be frequent.
    > Some says that you under no circumstances can protect your images, others

    seem
    > to have preventing solutions.
    > Some says that everything uploaded to your web server can be taken down,

    others
    > manage to hide files.
    >
    > As far as I understand so far I have an idea that the following might

    work.
    > Please guide me!
    >
    > My Web provider has given me a space which has a Root folder, and below it

    is
    > the WebSiteRoot, which contains my website. The Root folder should not be
    > available for Web users. There I for instance put my Access DB (accessed

    through
    > ODBC). I have FTP access to this space.
    >
    > So, I would like to put my Image folder in the Root folder, and have my

    Provider
    > make it a Virtual Directory in IIS, with an Alias name, and with No Browse
    > permissons (I hope that does not stop me from seeing it in my FTP

    program...),
    > but Write permisson (for me to upload to it), Read permisson (for the Web

    to get
    > the images), and with Anonymous Access set off.
    >
    > Then I can refer to this Virtual Directory from inside my Website, using

    the
    > Alias name.
    > And in IMG SRC you may see the (alias) URL to this Virtual Directory, but

    an
    > outside user should not be able to access it.
    >
    > Could this stop a user from downloading any images from my Image-folder?
    > Even if they are using some sort of ripoff utility?
    >
    > (Or should I have to take a step further and ADO stream the image to the
    > htm-page through an ASP page in order to hide the URL completely?)
    >
    > (And also, IF the ASP pages are invisible to the browser - could I hide my
    > images by renaming my .jpg-files to .asp-files? - I mean, the browser

    gladly
    > displays the image even if it is called .asp).
    >
    > Thanks
    > Larry
    >
    >
    >
     
    Mikhail Tchikalov, Aug 5, 2003
    #10
  11. LarryM

    Evertjan. Guest

    LarryM wrote on 05 aug 2003 in microsoft.public.inetserver.asp.general:
    > Thanks Evertjan!
    > Have I got this right:
    > If somebody CAN guess that you have a directory
    > "/images/secretpathqwerty6284675/", is it then open for access
    > for this person, no matter where the directory is situated?
    > (I am thinking of outside or inside 'the default webside').
    > Is it just a matter of knowing the name of the directory to get access
    > to it?


    I do not know what exactly you mean by "default website"

    Usually all files in your web root "http://mysite.org/" or
    "http://big.org/members/mysite/" or "/" and the lower directories like
    "http://mysite.org/myimages/" are accessable exept usually
    "http://mysite.org/cgi-bin/"

    The higher up directories "../" and "c://windows/" should not be.
    [Is this what you mean by outside"?].

    If you own the server, you can probably change all this [to your peril!].

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Aug 5, 2003
    #11
  12. LarryM

    LarryM Guest

    On 05 Aug 2003 08:16:54 GMT, "Evertjan." <> wrote:

    >LarryM wrote on 05 aug 2003 in microsoft.public.inetserver.asp.general:
    >> Thanks Evertjan!
    >> Have I got this right:
    >> If somebody CAN guess that you have a directory
    >> "/images/secretpathqwerty6284675/", is it then open for access
    >> for this person, no matter where the directory is situated?
    >> (I am thinking of outside or inside 'the default webside').
    >> Is it just a matter of knowing the name of the directory to get access
    >> to it?

    >
    >I do not know what exactly you mean by "default website"
    >
    >Usually all files in your web root "http://mysite.org/" or
    >"http://big.org/members/mysite/" or "/" and the lower directories like
    >"http://mysite.org/myimages/" are accessable exept usually
    >"http://mysite.org/cgi-bin/"
    >
    >The higher up directories "../" and "c://windows/" should not be.
    >[Is this what you mean by outside"?].


    Hi Evertjan,

    Sorry that i have such difficulty to be clear about this.
    I mean 'default website' = Websiteroot and below (typically http://mysite.org/
    and below).

    If I look for a good place for my images I am looking for some directory outside
    the 'default Website'.
    It seems that the only way to reach such a directory from the Web application is
    to make it a Virtual Directory, giving it an URL, and referring to it from a
    htlm-page.
    It might be as simple as that the Virtual Directory now is acting exactly as if
    it was in the default Website. And then there is no gain in using a Virtual
    Directory from a security point of view.
    My hope was that a Virtual Directory was a little bit harder to reach then a
    directory in the default Website, but I begin to doubt that.

    So my options at the moment seem to be:
    a)
    have a nonbrowsable directory with very-hard-to-guess filenames (UGIUD type,
    '5350298573.jpg'). The single picture displayed in the browser can always be
    captured, but it will be hard to make any bulk downloading.
    Except that I don't know the capabilities of these file grabbing utilities.
    I wonder if renaming the .jpg-files to .asp-files wold make them less visible?
    b)
    displaying the image through an .ASP-page that ADO streams the image content to
    the html-page, not showing where the source is.
    Performance loss, but maybe the safest solution so far.
    And the idea must then be that the images are placed in a physical directory
    visible from the DB but not from the Web or any web user.

    It still bothers me that it seems that any directory in your default Website is
    open for access, just you know or guess the directory+filename.
    So it goes in the direction of having a very complex filestructure, and of
    course non-browsable directories. And some performance loss.

    Anyway I wonder if you ever can stop the Grabber utilities..?

    /Larry
     
    LarryM, Aug 5, 2003
    #12
  13. LarryM

    Jeff Cochran Guest

    >Is then also ANY virtual directory (outside the default website) or ANY
    >directory on the Server Computer open for any user as long as you know or can
    >guess it's name (and put in an URL)?


    Coming in late, but no, if the image is outside the HTTP web
    structure, and you have NTFS permissions set correctly, it can't be
    accessed from the web directly.

    >Is it just a matter of guessing any directory and filename on a server, and then
    >you can download it??
    >
    >>You could hinder that by using an .asp intermediate file that looks at the
    >>referrer name, but once displayed in a browser, it has a copy in the
    >>clients tempfiles.

    >
    >I say it again: This is not about stopping the image once it has been displayed
    >in the browser, not much you can do about that!
    >It is about stoppping bulk download of the entire image directory!
    >
    >So you mean that I have no other option then to go the step which I also
    >mentioned: ADO stream the imagefile through an asp-file?


    That may be best. Try a Google for "Anti Leeching" or similar for a
    lot of solutions.

    Jeff
     
    Jeff Cochran, Aug 5, 2003
    #13
  14. LarryM

    Tom B Guest

    I'm jumping in a little late, but try to think of it this way..
    A user requests a page, they get the page.
    On the page are links to images <img src="thefolder\thefile.jpg">
    The browser then requests those files.

    So, if your images are named in a manner that is easy to figure out (such as
    numerically 1.jpg, 2.jpg etc, or alphabetically a.jpg, b.jpg) then it's hard
    to prevent someone from writing a script to grab all of them.

    To prevent a bulk download script, you can give them hard to guess names
    such as "ThePictureOfBobWearingAFunnyHat.jpg" or you can use the ADO stream
    method you mentioned.

    The Toronto Sunshine Girl page www.canoe.ca/TorontoSunshine only shows the
    Sunshine Girl of the day, however; they store each picture as ssg.jpg in a
    subdirectory of the days date (eg .Aug8/ssg.jpg ) so it didn't take long to
    write a script that produces....
    <img src="Aug8/ssg.jpg">
    <img src="Aug7/ssg.jpg">
    If they had named them individually, such as JaneDoe.jpg, it would have been
    "impossible" to script that.



    "LarryM" <> wrote in message
    news:...
    > Hi,
    >
    > NB, not to stop capturing the single displayed Image, but to stop

    downloading
    > the entire image directory.
    > (In my Website you will do a search, and get some thumbnails, and these

    can be
    > enlarged one by one).
    >
    > This topic seems to be frequent.
    > Some says that you under no circumstances can protect your images, others

    seem
    > to have preventing solutions.
    > Some says that everything uploaded to your web server can be taken down,

    others
    > manage to hide files.
    >
    > As far as I understand so far I have an idea that the following might

    work.
    > Please guide me!
    >
    > My Web provider has given me a space which has a Root folder, and below it

    is
    > the WebSiteRoot, which contains my website. The Root folder should not be
    > available for Web users. There I for instance put my Access DB (accessed

    through
    > ODBC). I have FTP access to this space.
    >
    > So, I would like to put my Image folder in the Root folder, and have my

    Provider
    > make it a Virtual Directory in IIS, with an Alias name, and with No Browse
    > permissons (I hope that does not stop me from seeing it in my FTP

    program...),
    > but Write permisson (for me to upload to it), Read permisson (for the Web

    to get
    > the images), and with Anonymous Access set off.
    >
    > Then I can refer to this Virtual Directory from inside my Website, using

    the
    > Alias name.
    > And in IMG SRC you may see the (alias) URL to this Virtual Directory, but

    an
    > outside user should not be able to access it.
    >
    > Could this stop a user from downloading any images from my Image-folder?
    > Even if they are using some sort of ripoff utility?
    >
    > (Or should I have to take a step further and ADO stream the image to the
    > htm-page through an ASP page in order to hide the URL completely?)
    >
    > (And also, IF the ASP pages are invisible to the browser - could I hide my
    > images by renaming my .jpg-files to .asp-files? - I mean, the browser

    gladly
    > displays the image even if it is called .asp).
    >
    > Thanks
    > Larry
    >
    >
    >
     
    Tom B, Aug 5, 2003
    #14
  15. LarryM

    LarryM Guest

    thanks, all ..
    /Larry
     
    LarryM, Aug 5, 2003
    #15
  16. LarryM

    Scott Scott Guest

    Why not protect the image folder by referrer, only allowing access from
    approved pages within your website ?

    That will solve some of your headaches.

    Are these images only available to members (password protected) ?

    You can either hand code this, or use AuthentiX.
    http://www.flicks.com

    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    Scott Scott, Aug 6, 2003
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pavils Jurjans

    Protect bin folder from direct download

    Pavils Jurjans, Apr 29, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    1,666
    George Ter-Saakov
    Apr 29, 2004
  2. Guest
    Replies:
    4
    Views:
    924
    Eliyahu Goldin
    Jan 4, 2005
  3. ©®
    Replies:
    8
    Views:
    435
    kchayka
    Feb 3, 2006
  4. madhu
    Replies:
    0
    Views:
    430
    madhu
    Oct 5, 2006
  5. waldo
    Replies:
    0
    Views:
    297
    waldo
    Apr 3, 2011
Loading...

Share This Page