Open
Description
In the media_upload_xhr()-function there is no check if the $id is a safe filename. For example if you enter "../../../conf/local.php" as id in the upload form, the configuration file is first replaced by the uploaded file and then deleted. This happens before any security check apart from the security token is done.
There can also be more problems like characters that aren't allowed in a filename so my recommendation is to simply use the md5 sum of the id as filename.
Metadata
Metadata
Assignees
Labels
No labels