There is a directory traversal vulnerability when logined as a admin and view the uploaded files.An attacker can read arbitrarily file on a remote server via GET request urlencode parameter.
If logged in as the admin, they would have legitimate access to e.g. /FrogCMS/admin/?/plugin/file_manager/index.php from your second example, right? Can this be used to read files outside of the webroot?
There is a directory traversal vulnerability when logined as a admin and view the uploaded files.An attacker can read arbitrarily file on a remote server via GET request urlencode parameter.
1.Read config.php.
2.Read index.php.
The text was updated successfully, but these errors were encountered: