Security issue with "Files" admin module

[mvlcek]

I'v found, that user can access files and folder outside default "uploads" folder by just adding "../" to url like that:

http://sitename.com/admin/upload.php?path=../

This is kind of security hole for VDS hosting, when one has multiple websites owned by only user (usually apache:apache or httdp:httdp) and relies on application's logic handling web user permissions.

Luckily this can only be done by the GetSimple administrator, who normally will be the same person as the FTP user. And as FTP user he can upload/change any PHP files, so this bug won't give him more rights.

It is only a problem, if somebody would install several GetSimple instances (or other applications) under the same user and give them to different customers without an FTP access. But this is really bad practice.

Anyway, in the plugins I18N Gallery and I18N Custom Fields I have a simple filter, which could be used in the administration, too:

Code:

$subPath = preg_replace('/\.+\//','',$_GET['path']);