Download
Connie Wrote:this directive in the main .htaccess file in the root will stop file-listsThis is not the issue here. Using the URL in the OP, is it possible to gain access to directories above /data/uploads from within the backend file management feature. As mvlcek points out, it's only an issue with multiple installations on the same server, with common account names and passwords.
Nevertheless, I think this is one occasion where the system could usefully protect a site admin from his own stupidity and prevent this cross-installation vulnerability.
Actually, I can see a situation where a user (client, for example) might have legitimate, but limited, access to more than one site on the same server and set himself a common username and password for convenience. That could be damaging if exploited.
--
Nick.
Nick.
