Security issue with "Files" admin module

[hameau]

If any product with typical installation out-of-box allow either admin or ordial user to acces files/directotires they're not granted - it's a security hole for me.

I hear what you say and I agree with your logic.

I just tried adding more levels of ../ to the URL and I can get back to the filesystem root to view directory contents (I can't do anything to them as the server permissions prevent that). This is not on a properly hardened commercial production server, so it may not be a true indication.

So, I would like to change my view and say that it certainly needs to be addressed.