Maybe vulnerability

[GoogleCodeExporter]

I found some problem. 
Authors, who are allowed to upload files via Media Manager can execute 
arbitrary php-code. They can upload any php script with the extension permitted 
(jpg, for example) and write in the text code {jumi images/stories/smth.jpg}.
If you put this code in the comment <!-- -->, Administrator will not even 
notice it.
This is possible, even if access to the media manager denied - on the servers, 
which hosting companies allow you to share files between accounts.
Is this security bug or feature?

Original issue reported on code.google.com by wearg01...@rambler.ru on 26 Aug 2011 at 4:23

[GoogleCodeExporter]

Hi,

It is by design. Media manager should verify if the uploaded file is
really a valid jpg not just check the file name extension.

So a regular user cannot make a Local File Inclusion.

Regards,

Edvard

Original comment by edo...@gmail.com on 31 Aug 2011 at 11:11