[Vtigercrm-developers] If your contact images are working then you have a big security problem

Uma S uma.s at vtiger.com
Sat Mar 7 14:17:02 GMT 2015


Hi Alan,

We are not able to reproduce this issue locally, where access to storage
folder throws permission denied error screen-shot has been attached.

Please let us know if any particular test-case need to followed to
reproduce the issue?

On Fri, Mar 6, 2015 at 7:38 PM, Alan Bell <alan.bell at libertus.co.uk> wrote:

>  Hi all,
>
> in vtiger 6.2 there is a new .htaccess file in */storage/*.htaccess
> containing "deny from all"
>
> this is a good thing, people shouldn't be able to browse or access files
> directly from the storage directory without logging on, but it breaks the
> way contact and product images are served up as these are linked directly
> to the storage directory. If your contact images are broken, then great,
> you have a reasonably secure system. If contact images display then you
> will find that going in a browser to
> http://myvtigerhost/myvtigerpath/storage will reveal all your attachments
> without needing to log on - this is bad.
> Whatever version of vtiger you are using, direct access to the storage
> directory is a very bad thing. You should block this with a .htaccess file
> and ensure that your apache configuration allows the htaccess to override
> (by default on Ubuntu it won't) or add in the apache configuration
> something like
>
> <Directory /var/www/vtiger/storage>
>   AllowOverride All
> </Directory>
>
> or, don't bother with the .htaccess file and just deny it in the apache
> configuration with:
>
> <Directory /var/www/vtiger/storage>
>   deny from all
> </Directory>
>
> to fix your contact/product images after you have successfully broken them
> there is a good looking suggestion here that I haven't tried out yet.
>
> http://stackoverflow.com/questions/28316322/the-photos-dont-appear-after-an-update-to-vtiger-6-2
>
> Alan.
>
> _______________________________________________
> http://www.vtiger.com/
>



-- 
With
Best Regards
Uma.S
Vtiger Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20150307/68b73cba/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Image_access.png
Type: image/png
Size: 39627 bytes
Desc: not available
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20150307/68b73cba/attachment-0001.png>


More information about the vtigercrm-developers mailing list