deleting any file into the server

[GoogleCodeExporter]

Since version 3.0 the file deletefile.php can be used to erase any file on 
server. If we create a site backup and then we analyze the link for delete it, 
we see one with this structure:

http://www.site.com/admin/deletefile.php?zip=2012-09-14-1713_55_archive.zip&nonc
e=24ca489b329f08c9f0d43a953985c35984566b65

If we change the value of "zip" for another one (any other file into the server 
that Apache can remove):

http://www.site.com/admin/deletefile.php?zip=../.htaccess&nonce=24ca489b329f08c9
f0d43a953985c35984566b65

we will delete it!! Please, fix it!!

Regards

P.D: I've tested it on windows machine with Apache.

Original issue reported on code.google.com by aquinadie on 20 Sep 2012 at 3:43

[GoogleCodeExporter]

$_GET['zip']
$_GET['upload']
$_GET['folder']
$_GET['id']

All vulnerable to directory traversal injections.

Original comment by tablatronics on 24 Sep 2012 at 4:29

[GoogleCodeExporter]

Original comment by tablatronics on 30 Sep 2012 at 1:51

• Changed state: Started

[GoogleCodeExporter]

fixed by r760

for QA
deleting zip archives
deleting uploads, and uploads in subfolders
deleting pages

Original comment by tablatronics on 30 Sep 2012 at 2:54

[GoogleCodeExporter]

Needs QA

Original comment by tablatronics on 21 Oct 2012 at 4:01

• Changed state: Fixed