Drupal Permissions Privileges and Access Controls Vulnerability - CVE-2010-3092
The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar name.