Assets folder is not whitelisted?!?
Content
Hi,
Came across https://cx.rightnow.com/app/answers/detail/a_id/10767 yesterday to my astonishment. Specifically:
Some of the core files under euf/assets/ are required to run end user pages, so they can't be locked down, which means that the 'ENDUSER_HOSTS' configuration settings will NOT block access to files under euf/assets/ folder.
This is very worrying - what if someone has sensitive files in the assets folders? If they're not meant to be put there, then where are they meant to be stored?
Does anyone else have a problem with the explanation given? Surely by default you would absolutely allow the server requesting the files to be whitelisted or just generally allowed access?
Tagged:
1