diff --git a/core/config.class.inc.php b/core/config.class.inc.php
index 4c25f77fd0..b014601429 100644
--- a/core/config.class.inc.php
+++ b/core/config.class.inc.php
@@ -962,6 +962,14 @@ class Config
 			'source_of_value' => '',
 			'show_in_conf_sample' => false,
 		),
+		'disable_attachments_download_legacy_portal' => array(
+			'type' => 'bool',
+			'description' => 'Disable attachments download from legacy portal',
+			'default' => true,
+			'value' => true,
+			'source_of_value' => '',
+			'show_in_conf_sample' => true,
+		),
 	);
 
 	public function IsProperty($sPropCode)
diff --git a/pages/ajax.document.php b/pages/ajax.document.php
index 29818ef541..681f81653a 100644
--- a/pages/ajax.document.php
+++ b/pages/ajax.document.php
@@ -53,7 +53,9 @@ try
 	switch($operation)
 	{
 		case 'download_document':
-			LoginWebPage::DoLoginEx(null /* any portal */, false);
+			// Fixing security hole from bug N°1227, disabling by default attachment from legacy portal.
+			$sRequestedPortalId = (MetaModel::GetConfig()->Get('disable_attachments_download_legacy_portal') === true) ? 'backoffice' : null;
+			LoginWebPage::DoLoginEx($sRequestedPortalId, false);
 			$id = utils::ReadParam('id', '');
 			$sField = utils::ReadParam('field', '');
 			if ($sClass == 'Attachment')