Does anybody had a look on these uploader? I had it yesterday, because I ported it to the frontend customer area. I implemented a check, wether the customer is logged in or not, before handling the file upload, but it fails all the time.
A look into the HTTP traffic showed me a lot. The upload is made via HTTP post from the flash object. It sends (in the backend) a form-key, the file and the name with the request.
The interessting thing is, there is no cookie send with it. This means, the admin-user is not identified. And the form key (normally saved in the session) can not be checked?
I was blind,good, that this blog article was not published yet :-) In the URL there is a Parameter called SID. And suprise, suprise it submits the Session ID.