[Vtigercrm-developers] If your contact images are working then you have a big security problem

Alan Bell alan.bell at libertus.co.uk
Fri Mar 20 12:35:42 GMT 2015 

so the security on the folder is working, but are contact images working 
for you? I think that if you add a contact image, then you will get a 
broken image on the contact like this:


because the url to the image is a direct link into the storage directory.

Alan.


On 07/03/15 14:17, Uma S wrote:
> Hi Alan,
>
> We are not able to reproduce this issue locally, where access to 
> storage folder throws permission denied error screen-shot has been 
> attached.
>
> Please let us know if any particular test-case need to followed to 
> reproduce the issue?
>
> On Fri, Mar 6, 2015 at 7:38 PM, Alan Bell <alan.bell at libertus.co.uk 
> <mailto:alan.bell at libertus.co.uk>> wrote:
>
>     Hi all,
>
>     in vtiger 6.2 there is a new .htaccess file in
>     //storage//.htaccess containing "deny from all"
>
>     this is a good thing, people shouldn't be able to browse or access
>     files directly from the storage directory without logging on, but
>     it breaks the way contact and product images are served up as
>     these are linked directly to the storage directory. If your
>     contact images are broken, then great, you have a reasonably
>     secure system. If contact images display then you will find that
>     going in a browser to http://myvtigerhost/myvtigerpath/storage
>     will reveal all your attachments without needing to log on - this
>     is bad.
>     Whatever version of vtiger you are using, direct access to the
>     storage directory is a very bad thing. You should block this with
>     a .htaccess file and ensure that your apache configuration allows
>     the htaccess to override (by default on Ubuntu it won't) or add in
>     the apache configuration something like
>
>     <Directory /var/www/vtiger/storage>
>       AllowOverride All
>     </Directory>
>
>     or, don't bother with the .htaccess file and just deny it in the
>     apache configuration with:
>
>     <Directory /var/www/vtiger/storage>
>       deny from all
>     </Directory>
>
>     to fix your contact/product images after you have successfully
>     broken them there is a good looking suggestion here that I haven't
>     tried out yet.
>     http://stackoverflow.com/questions/28316322/the-photos-dont-appear-after-an-update-to-vtiger-6-2
>
>
>     Alan.
>
>     _______________________________________________
>     http://www.vtiger.com/
>
>
>
>
> -- 
> With
> Best Regards
> Uma.S
> Vtiger Team
>
>
> _______________________________________________
> http://www.vtiger.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20150320/c97f11c9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bcchccfg.png
Type: image/png
Size: 23614 bytes
Desc: not available
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20150320/c97f11c9/attachment-0001.png>

More information about the vtigercrm-developers mailing list