<div dir="ltr">Hi Alan,<div><br></div><div>Yes, this issue is reproducible. We have reported this here in <a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/8517">trac</a> will look into this.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 20, 2015 at 6:05 PM, Alan Bell <span dir="ltr"><<a href="mailto:alan.bell@libertus.co.uk" target="_blank">alan.bell@libertus.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  <div bgcolor="#FFFFFF" text="#000000">

    so the security on the folder is working, but are contact images

    working for you? I think that if you add a contact image, then you

    will get a broken image on the contact like this:<br>

    <img src="cid:part1.06070504.02000207@libertus.co.uk" alt=""><br>

    <br>

    because the url to the image is a direct link into the storage

    directory.<br>

    <br>

    Alan.<div><div class="h5"><br>

    <br>

    <br>

    <div>On 07/03/15 14:17, Uma S wrote:<br>

    </div>

    </div></div><blockquote type="cite"><div><div class="h5">

      <div dir="ltr">Hi Alan,

        <div><br>

        </div>

        <div>We are not able to reproduce this issue locally, where

          access to storage folder throws permission denied error

          screen-shot has been attached.</div>

        <div><br>

        </div>

        <div>Please let us know if any particular test-case need to

          followed to reproduce the issue?</div>

      </div>

      <div class="gmail_extra"><br>

        <div class="gmail_quote">On Fri, Mar 6, 2015 at 7:38 PM, Alan

          Bell <span dir="ltr"><<a href="mailto:alan.bell@libertus.co.uk" target="_blank">alan.bell@libertus.co.uk</a>></span>

          wrote:<br>

          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

            <div bgcolor="#FFFFFF" text="#000000"> Hi all, <br>

              <br>

              in vtiger 6.2 there is a new .htaccess file in <i><span>/</span>storage<span>/</span></i>.htaccess

              containing "deny from all" <br>

              <br>

              this is a good thing, people shouldn't be able to browse

              or access files directly from the storage directory

              without logging on, but it breaks the way contact and

              product images are served up as these are linked directly

              to the storage directory. If your contact images are

              broken, then great, you have a reasonably secure system.

              If contact images display then you will find that going in

              a browser to <a href="http://myvtigerhost/myvtigerpath/storage" target="_blank">http://myvtigerhost/myvtigerpath/storage</a>

              will reveal all your attachments without needing to log on

              - this is bad. <br>

              Whatever version of vtiger you are using, direct access to

              the storage directory is a very bad thing. You should

              block this with a .htaccess file and ensure that your

              apache configuration allows the htaccess to override (by

              default on Ubuntu it won't) or add in the apache

              configuration something like <br>

              <br>

              <Directory /var/www/vtiger/storage> <br>

                AllowOverride All <br>

              </Directory> <br>

              <br>

              or, don't bother with the .htaccess file and just deny it

              in the apache configuration with: <br>

              <br>

              <Directory /var/www/vtiger/storage> <br>

                deny from all <br>

              </Directory> <br>

              <br>

              to fix your contact/product images after you have

              successfully broken them there is a good looking

              suggestion here that I haven't tried out yet. <br>

              <a href="http://stackoverflow.com/questions/28316322/the-photos-dont-appear-after-an-update-to-vtiger-6-2" target="_blank">http://stackoverflow.com/questions/28316322/the-photos-dont-appear-after-an-update-to-vtiger-6-2</a>

              <br>

              <span><font color="#888888"> <br>

                  Alan. </font></span></div>

            <br>

            _______________________________________________<br>

            <a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>

          </blockquote>

        </div>

        <br>

        <br clear="all">

        <div><br>

        </div>

        -- <br>

        <div>

          <div dir="ltr">With<br>

            Best Regards<br>

            Uma.S<br>

            <div>Vtiger Team</div>

          </div>

        </div>

      </div>

      <br>

      <fieldset></fieldset>

      <br>

      </div></div><pre>_______________________________________________

<a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a></pre>

    </blockquote>

    <br>

  </div>

<br>_______________________________________________<br>

<a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">With<br>Best Regards<br>Uma.S<br><div>Vtiger Team</div></div></div>

</div>