Front Accounting (FA) had document storage capabilities. Three issues arise:
1) FA stores documents under the server root
2) FA uses a non-random way to generate the report names
3) these reports do not have any authentication, able to be retrieved by anyone
The known file locations are below where X is company number starting at 0 (zero).
The software uses the uniqid PHP routine which is known for being non-random:
Because it is difficult to show, please see the screen print below regarding the non-random name.
I emailed the software company through their website but did not receive a reply. This was also disclosed to securityfocus.com but I believe it was not publicly reported since the email contained the image below as an attachment (or the original email was HTML and not TXT).