[Vtigercrm-developers] If your contact images are working then you have a big security problem

Uma S uma.s at vtiger.com
Fri Mar 20 16:28:03 GMT 2015


Hi Alan,

Yes, this issue is reproducible. We have reported this here in trac
<http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/8517> will look into this.

On Fri, Mar 20, 2015 at 6:05 PM, Alan Bell <alan.bell at libertus.co.uk> wrote:

>  so the security on the folder is working, but are contact images working
> for you? I think that if you add a contact image, then you will get a
> broken image on the contact like this:
>
>
> because the url to the image is a direct link into the storage directory.
>
> Alan.
>
>
>
> On 07/03/15 14:17, Uma S wrote:
>
> Hi Alan,
>
>  We are not able to reproduce this issue locally, where access to storage
> folder throws permission denied error screen-shot has been attached.
>
>  Please let us know if any particular test-case need to followed to
> reproduce the issue?
>
> On Fri, Mar 6, 2015 at 7:38 PM, Alan Bell <alan.bell at libertus.co.uk>
> wrote:
>
>>  Hi all,
>>
>> in vtiger 6.2 there is a new .htaccess file in */storage/*.htaccess
>> containing "deny from all"
>>
>> this is a good thing, people shouldn't be able to browse or access files
>> directly from the storage directory without logging on, but it breaks the
>> way contact and product images are served up as these are linked directly
>> to the storage directory. If your contact images are broken, then great,
>> you have a reasonably secure system. If contact images display then you
>> will find that going in a browser to
>> http://myvtigerhost/myvtigerpath/storage will reveal all your
>> attachments without needing to log on - this is bad.
>> Whatever version of vtiger you are using, direct access to the storage
>> directory is a very bad thing. You should block this with a .htaccess file
>> and ensure that your apache configuration allows the htaccess to override
>> (by default on Ubuntu it won't) or add in the apache configuration
>> something like
>>
>> <Directory /var/www/vtiger/storage>
>>   AllowOverride All
>> </Directory>
>>
>> or, don't bother with the .htaccess file and just deny it in the apache
>> configuration with:
>>
>> <Directory /var/www/vtiger/storage>
>>   deny from all
>> </Directory>
>>
>> to fix your contact/product images after you have successfully broken
>> them there is a good looking suggestion here that I haven't tried out yet.
>>
>> http://stackoverflow.com/questions/28316322/the-photos-dont-appear-after-an-update-to-vtiger-6-2
>>
>> Alan.
>>
>> _______________________________________________
>> http://www.vtiger.com/
>>
>
>
>
>  --
>  With
> Best Regards
> Uma.S
> Vtiger Team
>
>
> _______________________________________________http://www.vtiger.com/
>
>
>
> _______________________________________________
> http://www.vtiger.com/
>



-- 
With
Best Regards
Uma.S
Vtiger Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20150320/a76439b8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bcchccfg.png
Type: image/png
Size: 23614 bytes
Desc: not available
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20150320/a76439b8/attachment-0001.png>


More information about the vtigercrm-developers mailing list