I don´t know fully how this problem works but here are some of my thoughts. You are talking about the file download operation because that is what the "hacker" used to find the url he used in the repeater? I found out the url by doing several other things like "Display in printer-friendly format", or even by just running a query? In the example screenshot below I ran a query in the CRM sample application and then looked at the Chrome developer tools "Network" tab to see what happened and I saw this:
kklosson, can you verify this is the same URL and one that theoretically (if you don´t feel like testing it) could be used to do the same exact thing the "hacker" did?
Support, isn´t it possible to change the permission of certain files or folders as part of the Aware IM installation like for example Basserver.props and other risky files? The best thing would again, of course, be to fully restrict all access outside of localhost to all files if that is possible?
Another related thing, currently both DB credentials and SSL information (possible other important information) are written in plain txt files open for anyone to see. The issue we are discussing in this post is trying to limit access to various files BUT actually not having these unprotected on the server is also something that would make me sleep better at night. Another thing here is the MySQL encryption keys which we have to place in a txt file so Aware IM can use those files and this is a MySQL implementation i.e. having the keys open/unprotected in txt files on a server BUT the Aware IM implementation of encryption COULD implement a better / more secure solution like having the encryption keys etc. in the configuration tool BSV settings followed by some kind of encryption inside Aware IM to protect this data.
Henrik (V8 Developer Ed. - Windows)