Important txt attachement revealed my absolute folder path

My server runs on CentOS. You know that it is a security consideration to NOT let public know the ABSOLUTE Path of your Joomla folders.

Well, today I noticed that just a simple TXT format attachement will reveal the absolute path on my server.

Someone on my forum uploaded a txt file named "rterror2.txt", but after submission, the filename was converted to :

If you replace those dash characters with slash, you will get the absolute path:

The worse is, you don't have to download this attachement to see its filename then know the path, it is just showing there in the post with full file name which is indicating the absolute path of the website!

Don't you think this is horrible?

I think this is a bug of Kunena 4.0.10.

Hope you will fix it in Kunena 5.

Thank you.

looks like a wrong .htaccess file.

When I add a txt, I can see only the normal url, like www.website.com/media/kunena/attachments/48/test.txt

Maybe because yur are using Kunena 5 but I was using Kunena 4.0.10?

I attached my .htaccess file here, could you please help to check this file and find the possible cause in it?





Thank you.

yes, its your htaccess, I get now errors:

Rendering Error in layout BBCode/Image: Property "url" is not defined in /home/****/domains/***/public_html/components/com_kunena/template/crypsis/layouts/bbcode/image/unauthorised.php on line 15
Layout was rendered in /home/****/domains/****/public_html/components/com_kunena/template/crypsis/layouts/message/item/default.php on line 83

ok that is a new bug what I get on the errors, will check your htaccess again

ok I use now k4, I have no issues, I see the normal path.