[Vtigercrm-developers] If your contact images are working then you have a big security problem
Alan Bell
alan.bell at libertus.co.uk
Fri Mar 6 14:08:17 GMT 2015
Hi all,
in vtiger 6.2 there is a new .htaccess file in /storage/.htaccess
containing "deny from all"
this is a good thing, people shouldn't be able to browse or access files
directly from the storage directory without logging on, but it breaks
the way contact and product images are served up as these are linked
directly to the storage directory. If your contact images are broken,
then great, you have a reasonably secure system. If contact images
display then you will find that going in a browser to
http://myvtigerhost/myvtigerpath/storage will reveal all your
attachments without needing to log on - this is bad.
Whatever version of vtiger you are using, direct access to the storage
directory is a very bad thing. You should block this with a .htaccess
file and ensure that your apache configuration allows the htaccess to
override (by default on Ubuntu it won't) or add in the apache
configuration something like
<Directory /var/www/vtiger/storage>
AllowOverride All
</Directory>
or, don't bother with the .htaccess file and just deny it in the apache
configuration with:
<Directory /var/www/vtiger/storage>
deny from all
</Directory>
to fix your contact/product images after you have successfully broken
them there is a good looking suggestion here that I haven't tried out yet.
http://stackoverflow.com/questions/28316322/the-photos-dont-appear-after-an-update-to-vtiger-6-2
Alan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20150306/46937ff9/attachment.html>
More information about the vtigercrm-developers
mailing list