<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi all,
<br>
<br>
in vtiger 6.2 there is a new .htaccess file in <i
class="moz-txt-slash"><span class="moz-txt-tag">/</span>storage<span
class="moz-txt-tag">/</span></i>.htaccess containing "deny from
all"
<br>
<br>
this is a good thing, people shouldn't be able to browse or access
files directly from the storage directory without logging on, but it
breaks the way contact and product images are served up as these are
linked directly to the storage directory. If your contact images are
broken, then great, you have a reasonably secure system. If contact
images display then you will find that going in a browser to <a
class="moz-txt-link-freetext"
href="http://myvtigerhost/myvtigerpath/storage">http://myvtigerhost/myvtigerpath/storage</a>
will reveal all your attachments without needing to log on - this is
bad.
<br>
Whatever version of vtiger you are using, direct access to the
storage directory is a very bad thing. You should block this with a
.htaccess file and ensure that your apache configuration allows the
htaccess to override (by default on Ubuntu it won't) or add in the
apache configuration something like
<br>
<br>
<Directory /var/www/vtiger/storage>
<br>
AllowOverride All
<br>
</Directory>
<br>
<br>
or, don't bother with the .htaccess file and just deny it in the
apache configuration with:
<br>
<br>
<Directory /var/www/vtiger/storage>
<br>
deny from all
<br>
</Directory>
<br>
<br>
to fix your contact/product images after you have successfully
broken them there is a good looking suggestion here that I haven't
tried out yet.
<br>
<a class="moz-txt-link-freetext"
href="http://stackoverflow.com/questions/28316322/the-photos-dont-appear-after-an-update-to-vtiger-6-2">http://stackoverflow.com/questions/28316322/the-photos-dont-appear-after-an-update-to-vtiger-6-2</a>
<br>
<br>
Alan.
</body>
</html>