GPL About Home

Other Project

Project Picview  (Gallery/Picture Viewer)


Internet Picture Gallery :: To provide a Web-based picture gallery and picture viewer for PHP powered Web servers, that is both reasonably secure and reasonably simple to operate.

Project output should include PHP code and HTML templates ready to deploy, and instructional operating documentation (if necessary).


In December 2006, a friend of mine had their Web gallery hacked by 8 Chinese hackers in about 30 hours. The gallery software was MG2, which had been found vulnerable almost 12 months prior (and some months after my friend had installed it), and yet there were still no updates or patches made available for it. To rub salt into the wound my friend had disabled Comments, the vulnerable feature, but MG2 simply disabled the Web form, and not the server side processing for Comments, leaving it vulnerable. To seal my friend's fate, MG2 published a version string on every page, allowing attackers to find vulnerable versions via targeted Web searches.

If you've ever tried to put a basic gallery online, you'll know how hard it can be; no database back-end, no stored user data, automatic gallery creation, automatic thumbnail creation, the ability to skin the output simply via HTML and CSS, and some decent cleansing of user input to ensure a reasonable degree of security. This seems like a fair set of requirements, but there's really nothing out there to meet them.

Picview is a single PHP file that can be put in the top level directory of the gallery structure (i.e. public_html/gallery/). It doesn't require a database and it doesn't store any user data. It will automatically enable each sub-directory as a Gallery, and each image file as a Picture. Picview automatically creates thumbnail images on-the-fly, as required. It uses two template files (gallery.tpl and picture.tpl) to allow an administrator to define clean HTML templates, while all Picview HTML output is predefined with CSS class entries, for total customisation. Most importantly, all user input is checked and only valid or correctly defaulted values are passed on.

As with all Midnight Code software, vulnerabilities reported to Midnight Code will be patched.


The following code (source, binaries, patches, etc) have been developed or mirrored for this project;


This project was initiated on Saturday, the 2nd of December 2006. Its last recorded activity stamp is Sunday, the 18th of March 2007.