Security Problem in upload manager

In the upload manager, I can manually change the actual directory by entering something like ".." or "../.."

I fixed this for me in the setup.php, from line 852:

if($var2=="chdir"){
if ( strpos ( $p_dir, '..' ) === false )
$p_actdir=$p_dir;

Maybe you could include a fix this in further versions? Thank You!

Michael

Thank you for phpAlbum, good job, very useful!


style="display:inline-block;width:468px;height:60px"
data-ad-client="ca-pub-8698264690166658"
data-ad-slot="4417389723">