diff --git a/cis/private/lehre/upload.php b/cis/private/lehre/upload.php
index e3a7d0845..2cb49a90d 100644
--- a/cis/private/lehre/upload.php
+++ b/cis/private/lehre/upload.php
@@ -623,7 +623,7 @@
 													  }
 													  else
 													  {
-													  	  if(!stristr($uploadfile, '.php') && !stristr($uploadfile, '.cgi') && !stristr($uploadfile, '.pl') && !stristr($uploadfile, '.phtml') && $file_name!='.htaccess')
+													  	  if(!stristr($uploadfile, '.php') && !stristr($uploadfile, '.cgi') && !stristr($uploadfile, '.pl') && !stristr($uploadfile, '.phtml') && !stristr($file_name,'.htaccess'))
 														  {
 														  	 if(copy($_FILES[$file]['tmp_name'], $uploadfile))
 														  	 {
@@ -646,7 +646,7 @@
 												  }
 												  else
 												  {
-												  	  if(!stristr($uploadfile, '.php') && !stristr($uploadfile, '.cgi') && !stristr($uploadfile, '.pl') && !stristr($uploadfile, '.phtml') && $file_name!='.htaccess')
+												  	  if(!stristr($uploadfile, '.php') && !stristr($uploadfile, '.cgi') && !stristr($uploadfile, '.pl') && !stristr($uploadfile, '.phtml') && !stristr($file_name,'.htaccess'))
 													  {
 														  if(copy($_FILES[$file]['tmp_name'], $uploadfile))
 														  {
@@ -679,7 +679,7 @@
 														  }
 														  else
 														  {
-															  if(!stristr($uploadfile, '.php') && !stristr($uploadfile, '.cgi') && !stristr($uploadfile, '.pl') && !stristr($uploadfile, '.phtml') && $file_name!='.htaccess')
+															  if(!stristr($uploadfile, '.php') && !stristr($uploadfile, '.cgi') && !stristr($uploadfile, '.pl') && !stristr($uploadfile, '.phtml') && !stristr($file_name,'.htaccess'))
 															  {
 															  	   if(copy($_FILES[$file]['tmp_name'], $uploadfile))
 															  	   {
@@ -702,7 +702,7 @@
 													  }
 													  else
 													  {
-													  	  if(!stristr($uploadfile, '.php') && !stristr($uploadfile, '.cgi') && !stristr($uploadfile, '.pl') && !stristr($uploadfile, '.phtml') && $file_name!='.htaccess')
+													  	  if(!stristr($uploadfile, '.php') && !stristr($uploadfile, '.cgi') && !stristr($uploadfile, '.pl') && !stristr($uploadfile, '.phtml') && !stristr($file_name,'.htaccess'))
 														  {
 															  if(copy($_FILES[$file]['tmp_name'], $uploadfile))
 															  {
@@ -1318,9 +1318,13 @@
 									$link_path = str_replace("+","%20",$link_path);
 									echo "</b></td><td align=\"left\" class='MarkLine'><b><font face=\"Arial,Helvetica,sans-serif\" color=\"#000000\" size=\"2\"><a href=\"$link_path\" target=\"_blank\">&nbsp;<img src=\"../../../skin/images/file.gif\" border=\"0\">&nbsp;".htmlentities($entry, ENT_QUOTES, 'UTF-8')."&nbsp;</a></font>";
 
+									$new_file_name_='';
 									if(isset($_POST['new_file_name'.$file_count]))
 										$new_file_name_ = $_POST['new_file_name'.$file_count];
 
+									if(stristr($new_file_name_,'..'))
+										die('Invalid Parameter detected');
+
 									if(isset($rename_file) && isset($check_state))
 									{
 										echo "</b></td><td align=\"middle\" class='MarkLine'><b><font face=\"Arial,Helvetica,sans-serif\" color=\"#000000\" size=\"2\"><input type=\"text\" name=\"new_file_name$file_count\" value=\"$entry\">&nbsp;<input type=\"submit\" name=\"confirm_rename\" value=\"OK\"></font>";
@@ -1331,7 +1335,7 @@
 										{
 											if(!@file_exists($dest_dir->path.'/'.$new_file_name_) && !@is_dir($dest_dir->path.'/'.$new_file_name_))
 											{
-												if(!stristr($new_file_name_, '.php') && !stristr($new_file_name_, '.cgi') && !stristr($new_file_name_, '.pl') && !stristr($new_file_name_, '.phtml') && $new_file_name_!='.htaccess')
+												if(!stristr($new_file_name_, '.php') && !stristr($new_file_name_, '.cgi') && !stristr($new_file_name_, '.pl') && !stristr($new_file_name_, '.phtml') && !stristr($new_file_name_,'.htaccess'))
 												{
 													rename($dest_dir->path.'/'.$entry, $dest_dir->path.'/'.$new_file_name_);