DownFile 1.3 allows remote malicious users to gain administrator privileges via a direct request to (1) update.php, (2) del.php, and (3) add_form.php.
eric fichot downfile 1.3