I was messing around with an open-source CMS yesterday and notice a possible security issue with the default installation of Dotclear version 2.7.3. Checking the CVE database (CVE-2014-3782), I found that this issue has already been raised a while back. Appears that is it not fixed entirely as it turns out that the Media Manager in a default install of Dotclear 2.7.3 only blocks .php files (a setting in config) from being uploaded. I attempt to upload .php5 webshell, .html (with XSS) and .exe and succeeded.
The default installation should have configs that block some potentially “more harmful” extensions such as .exe, .html, .shtml, .php5 etc.