Hi,
Thanks for your quick answer.
I added one line to htaccess « deny from all ». It solved the problem, I hope it will not break anything else.
If not, it is pretty simple to fix and I invite your team to consider to do it as soon as possible as I consider it a major security issue that, moreover, is now publicly known.
Best regards