Directory Traversal vulnerability

[blorange2]

On one of my servers, if you were to go to:

mydomain.com/laravel-filemanager/download?working_dir=&type=Files&file=../../../../../../../../../../../../../../../homepages/45/d641872465/htdocs/.bash_history

It'll actually download the file, this is problematic because you can essentially break out of the application and affect the actual server.

I need to look into how I could secure this but I thought I'd bring it to your attention.

[streamtw]

Thanks for the info. This is an important issue. I will make sure this is fixed in the next release.

[cracki]

https://www.exploit-db.com/exploits/48166

[streamtw]

Fixed in v2.2.0, thanks for reporting this.