Author Topic: tmp  (Read 217 times)

etienne

  • Newbie
  • *
  • Posts: 3
    • View Profile
tmp
« on: March 03, 2016, 04:41:00 am »
Hi,

Im a new user and manager of Feng. I configured emails accounts and I noticed that the folder tmp now contains several HTML files named after a pattern x_y_z_temp_mail_content.html that are containing the plain-text contents of the emails! These files, whose names are not especially complicated, are accessible and readable by everyone even not logged in. Isn't this a security breach and how to correct it ? If we use .htaccess solution, I guess the risk is to break the access to the files even for the logged in users.

Thanks

conrado

  • Administrator
  • Hero Member
  • *****
  • Posts: 998
  • Conrado
    • View Profile
    • Feng Office
    • Email
Re: tmp
« Reply #1 on: March 03, 2016, 11:38:04 am »
Hi Etienne,

This is a very good observation.

You can solve it through .htaccess configuration, and through your firewall. It is a good security practice to limit the IP's that can access your installation.

Nonetheless, your question has prompted us to create a task to improve this on an upcoming version. Version 3.4.1 is about to be released, so it won't make it to that one. Most likely it will be a 3.4.1.1

Thanks!
Get Official Support for your Feng Office. Support the development team. Sign up for a Free Trial here.

etienne

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: tmp
« Reply #2 on: March 03, 2016, 01:57:20 pm »
Hi,

Thanks for your quick answer.

I added one line to htaccess « deny from all ». It solved the problem, I hope it will not break anything else.

If not, it is pretty simple to fix and I invite your team to consider to do it as soon as possible as I consider it a major security issue that, moreover, is now publicly known.

Best regards

 

anything
anything