Download
2011-05-19, 17:19:43
(This post was last modified: 2011-05-19, 17:27:39 by diealkerry.)
I've found, that user can access files and folder outside default "uploads" folder by just adding "../" to url like that:
Quote:http://sitename.com/admin/upload.php?path=../This is kind of security hole for VDS hosting, when one has multiple websites owned by only user (usually [apache:apache] or [httpd:httpd]) and relies on application's logic handling web user permissions.
