Feng Forum

Support => Feng Office 3 => : etienne March 03, 2016, 04:41:00 AM

: tmp
: etienne March 03, 2016, 04:41:00 AM
Hi,

Im a new user and manager of Feng. I configured emails accounts and I noticed that the folder tmp now contains several HTML files named after a pattern x_y_z_temp_mail_content.html that are containing the plain-text contents of the emails! These files, whose names are not especially complicated, are accessible and readable by everyone even not logged in. Isn't this a security breach and how to correct it ? If we use .htaccess solution, I guess the risk is to break the access to the files even for the logged in users.

Thanks
: Re: tmp
: conrado March 03, 2016, 11:38:04 AM
Hi Etienne,

This is a very good observation.

You can solve it through .htaccess configuration, and through your firewall. It is a good security practice to limit the IP's that can access your installation.

Nonetheless, your question has prompted us to create a task to improve this on an upcoming version. Version 3.4.1 is about to be released, so it won't make it to that one. Most likely it will be a 3.4.1.1

Thanks!
: Re: tmp
: etienne March 03, 2016, 01:57:20 PM
Hi,

Thanks for your quick answer.

I added one line to htaccess « deny from all ». It solved the problem, I hope it will not break anything else.

If not, it is pretty simple to fix and I invite your team to consider to do it as soon as possible as I consider it a major security issue that, moreover, is now publicly known.

Best regards