The filemanager allows directory traversals and therefore everybody with the permissions to modify files can upload files outside the upload-directory.
Steps to reproduce:
1. (optional) Create User with permission to modify files but without permission for the "Advanced usage of the the File Manager module".
2. Go to the filemanager, upload files
3. Manipulate the hidden field <input id="m1_path" name="m1_path"> to contain for example the path /uploads/../../
4. Upload a file
[fixed] filemanager directory traversal
Re: filemanager directory traversal
I can't repoduce on SVN rev. 7361
But I can't change folders in FM anymore.
Perhaps the result of fixing this issue??
Rolf
But I can't change folders in FM anymore.
Perhaps the result of fixing this issue??
Rolf
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
Re: filemanager directory traversal
Should be fixed in SVN rev. 7361
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
