We've been bitten again by the security bug. This one is potentially bad and needs to be taken care of as quick as possible. Basically, the script that the image manager uses is open to the world to upload files if called the right way.
0.10.2 is just 0.10.1 with the fix in place. If you don't want to go through the troble of doing an upgrade, just do the following:
Open up lib/filemanager/ImageManager/manager.php
Right above the require_once('config.inc.php'); at the top, put:
Code: Select all
require_once(dirname(dirname(dirname(dirname(__FILE__)))) . '/include.php');
check_login();
Ted (wishy)