Join GitHub today
Local URIs Server Side Request Forgery #64
The media uploader allows the attacker to make server send a GET request to intranet addr or anything which can be accessed via IP address.
So basicly GeniXCMS installations can send unwanted scrape/scan requests on behalf of their user invoked by the attacker.
May be we should rewrite some of the interface in elfinder
See how WordPress fix it: