Yes, tested and confirmed filemanager is MAJOR exploit. It runs as root!
Mustafa, follow steps to create a disaster!
Login panel as a client (test). Filemanager, create new file.
exploit.php
<php
symlink('/etc', '/home/test/etc');
?>
Execute script in browser. domain.com/exploit.php
KloxoMR filemanager, under test client/user 'etc' directory appears, click it takes me to real /etc/ directory. Using filemanager I can now edit/delete ANY file in /etc directory.
NO SSH required. This can be recreated with any file or directory! THIS IS A MAJOR DISASTER WAITING TO HAPPEN!
Mustafa, all efforts must be made NOW to make filemanager run as client/user logged into KloxoMR NOT ROOT, this is a must!