osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now
Security vulnarability, and an attachment question.
First the security. Any insight on when this security flaw be fixed? I'ts CVE-2017-14396 (SQL injection) which was reported 3 months ago. Seems to me it's important. Or is there a patch available for it?
I've seen that new attachment in the attachment directory (if you store attachment in the filebase and not the database) will be created like this:
d-wxr-xr-t 2 user user 4.0K 2017-12-17 15:38 a
and so on.
But why world readable? I don't mind the sticky bit, but why are these folders made world readable?
Or is that because my directory is 755 and they won't be created world readable anymore if I chmod the attachment directory to 750?
If it can't be done this way, what's the best htaccess content so only logged in customer, agent and osticket can read the attachment?
We don't need world access since we're using mod_ruid2.