Akeeba Ticket System allows user to optionally upload attachments with their tickets and ticket replies. These files are stored on your site, in the directory you configure in the component's Options page. The default is meda/com_ats/attachments.

Attachment files are stored two directory levels deep, using a mangled name which is derived using at least one random component. This is a security measure. The filenames are unpredictable and created sparsely in a very large search space which means that an unauthorised user would not be able to predict or brute force their name to access them directly. Furthermore, they have no extension to make them non-executable. Finally, the default directory is protected against direct web access with a .htaccess (Apache) and web.config (IIS) file. This prevents a number of attack modes such as IDOR (Indirect Object Reference), uploading malicious code and executing it on your site, etc.

Attachments have, by default, the same visibility as the ticket itself. Therefore, attachments in public tickets are visible to everyone and can be downloaded by anyone who has their URL. You can optionally make all attachments private. This means that attachments in public tickets will only be visible to and can be downloaded by the person submitting the ticket they belong to and users with the Support Staff permission.

Akeeba Ticket System has its own set of upload permissions; it does not use the same ones used by the Media Manager. This is intentional. The Media Manager is set up to allow the upload of files which need to be publicly accessible on your site, mostly images, videos, audio files, PDFs and office application files. Attachments in a ticket system tend to be archives, log files, even executables depending on the nature of the support you are offering through the ticket system. Therefore it makes sense to have a different set of upload permissions to allow for files of a different nature to be uploaded. You can find these settings in the component's Options page.