Due to a medium-risk potential information disclosure, it is recommended to update BreezingForms Full and BreezingForms Lite to their latest versions (latest versions are at the time of writing: Build 884 for the full version and Build 912 for the Lite version).
Additionally, it is recommended to check if your hosting disallowed folder indexes (this should be by default). If not, then please add "Options -Indexes" into your website's main .htaccess file.
The updates are coming with a few practical implications:
- The default upload folder is now forced to have an .htaccess file containing the apache rule "deny from all" (non-apache users should consider to create an equivalent setup or choose an upload folder outside of the webroot).
- If you use the "Use Web Url" feature to display the http(s) path to the uploaded files, please create a custom upload folder and adjust the path in your form setup accordingly.
- Exports (PDF, CSV, XML) in the record manager aren't stored on the server no longer, the downloads are performed on-the-fly.
- Exports (PDF, CSV, XML) for the email notification attachments will kept stored but now using the default upload folder as specified in BreezingForms' main configuration.
- Existing export backups located in /components/com_breezingforms/exports/ will automatically be removed after the update (please backup these files if you need them before you apply any update).
- Package exports are also performed on-the-fly only and no files are allowed in the folder /administrator/components/com_breezingforms/packages/ with the exception of the default package (stdlib.english.xml)
Lite users please upgrade here.
Full users please login and download the update.
If you don't have access to your membership no longer, you can contact our support for a patch matching your version OR place an .htaccess file containing "deny from all" into the folders "/components/com_breezingforms/exports/" and "/administrator/components/com_breezingforms/packages/". If you aren't using apache, apply your webserver's equivalent.
Special credits for reporting this issue go directly to Marco Dings from viryagroup.com. Thank you!