2

I'm trying to create a PHP webpage that allow the visitor to see a video stream or an image coming from a webcam without allowing the visitors to grab it's original URL/URI. In other words, I have an ip camera operating at a given address:port and I can see the stream embedding in a HTML body something like this:

    <img src="http://5.246.77.89:8080/videostream.cgi?user=myusername&amp;pwd=mypass&amp;resolution=32&amp;rate=15" alt="">

or alternatively if we want a static image:

    <img src="http://5.246.77.89:8080/snapshot.cgi?user=myusername&amp;pwd=mypass&amp" alt="">

Now the problem is that if anyone look at the HTML code behind the page will see the URL of the camera along with its user/password credentials, obviously. This allow the visitor to connect to the camera at any time even without having to go on the page that is hosting this service, they just need to type into any browser to the URL 

http://myip:myport/videostream.cgi?user=admin&amp;pwd=fewf2d53BVH&amp;resolution=32&amp;rate=15

I don't want that the user is able to do that. So I had an idea: If I'm able to wrap the stream into a php webpage acting as a 'man-in-the-middle' I can give the visitor the video without letting them know the original source. The original IP:PORT will be visible only from my server. Obviously they will always be able to use the URL of my webpage but they will never see the user/password of the camera and I can lock the service out at any time. Furthermore to improve security I can setup the router hosting the webcam to accept connections coming from my webserver only. This will act as a stealth against malicious users attempting to connect directly to the webcabm. What can I do on the server-side to obtain this behaviour?

Power Engineering
  • 713
  • 14
  • 26
  • Not much can be done as long as you need to send your login data via GET parameters, since it's opened for everyone to see by it's nature. What comes to my mind first is making a php-page that generates and outputs an image (say, with GD. more info here: http://php.net/manual/en/ref.image.php) and then do something like . But this solution seems to be kinda... crippled for me anyway. I thing it is a good idea to review the cgi to find out whether login credentials can be passed some other way. – Sam Braslavskiy Oct 04 '14 at 17:18
  • @SamBraslavskiy thanks for your feedback. However let me highlight that the problem is NOT putting on safety the HTTP transport that it's impossible due to the GET nature. I donn't want that. I just want to make impossible for the user to continue seeing the video after I decide to do that. My idea to embe the video in something that allow you to see the video without having to give userid and password will void any attempt of bruteforcing. – Power Engineering Oct 04 '14 at 17:45
  • could you please specify if you need to have only imgs from your camera, videos or both? – Sam Braslavskiy Oct 04 '14 at 17:48
  • @SamBraslavskiy My willing is to have two separate scripts one for video and one for pictures. However the way they are presented to the host is always the same the only change between the pages will be the source CGI: videostream.cgi for video, snapshot.cgi for pictures. I guess that the solution would be just to stream out the same data the page receive from the original URL. – Power Engineering Oct 04 '14 at 17:53
  • UPDATE: PHP function passthru seems promising.... – Power Engineering Oct 04 '14 at 18:02
  • I'm afraid you can't embed any video into , except if it's a .gif :-) please correct me if I'm wrong. – Sam Braslavskiy Oct 04 '14 at 18:14

2 Answers2

1

Well, at least for images you could use curl... As I've pointed out in the comments, you may create a php file (say, my.php) containing something like the following:

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'http://example.com/?password=4444&login=1111');
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_BINARYTRANSFER,1);
$picture = curl_exec($ch);
curl_close($ch);
//Display the image in the browser
header('Content-type: image/jpeg');
echo $picture;

and than just write:

 <img src='my.php'>

P.S. Although I believe it is NOT the best way to do things, it looks like it solves the problem. No more private data in img src. I have never anything alike with video formats, but as for images it seems quite easy. You can read more about curl here: http://php.net/manual/en/book.curl.php

Sam Braslavskiy
  • 1,268
  • 10
  • 19
  • 1
    many thanks for your prompt feedback! Using curl is a very good idea, in fact it works fine for images. You can see the test I've made using your code here: [link](http://web.smartplc.it/SmartSUN/tasks/video2.php) there's no way to understand the original source of the picture. At present it works for picture, but I'm confident that working on the headers it's possible to stream video as well. I'll keep you posted! – Power Engineering Oct 05 '14 at 08:36
1

Another solution using above mentioned passthru:

<?php 
Header("content-type:image/jpeg"); 
passthru("pic.jpg?login=11&pass=22"); 
?>

However, it is still only for images, because of the header... If you find anything that works with videos/video streaming, please, let me know!!

Sam Braslavskiy
  • 1,268
  • 10
  • 19
  • 1
    well as said before looks promising, but doesn't work neither for images and/or video. I still believe it's a good starting point but I guess there's an error in the argument of passthru function. I have to understand more of this function I've never used before. – Power Engineering Oct 05 '14 at 08:39
  • I have not used it either... But I've found a note concerning this func on php.net: "When safe mode is enabled, you can only execute files within the safe_mode_exec_dir. For practical reasons, it is currently not allowed to have .. components in the path to the executable." Maybe the problem lies here... – Sam Braslavskiy Oct 05 '14 at 08:45
  • I've opened another Answer here [link](http://stackoverflow.com/questions/26201343/embedding-video-stream-into-webpage) this time I've included olso the real source of the video stream with test credentials. Hope it helps. – Power Engineering Oct 05 '14 at 09:27