[Vtigercrm-developers] v5.4 documents question

[Richard Hills]

Hi guys

I have seen a live unmodified 5.4 install which we have running as a 
test for clients who want to see what vtiger can do end up with an 
injected script inside of a normal documents structure 
(/storage/year/month/week/filename.whatever).

No entry was made to match this in the crmentity table or elsewhere so 
it seems some very large security hole.

I'm just wondering if anyone can point me to the file which handles 
these file uploads so I can get hunting for whatever has allowed this to 
happen.

Thank you