diff --git a/install/updates/froxlor/0.9/update_0.9.inc.php b/install/updates/froxlor/0.9/update_0.9.inc.php
index aed65181..b6d3525c 100644
--- a/install/updates/froxlor/0.9/update_0.9.inc.php
+++ b/install/updates/froxlor/0.9/update_0.9.inc.php
@@ -15,6 +15,15 @@
  *
  */
 
+if (!defined('AREA')
+		|| (defined('AREA') && AREA != 'admin')
+		|| !isset($userinfo['loginname'])
+		|| (isset($userinfo['loginname']) && $userinfo['loginname'] == '')
+) {
+	header('Location: ../../../../index.php');
+	exit;
+}
+
 if (isFroxlorVersion('0.9-r0')) {
 
 	showUpdateStep("Updating from 0.9-r0 to 0.9-r1", false);
diff --git a/install/updates/froxlor/upgrade_syscp.inc.php b/install/updates/froxlor/upgrade_syscp.inc.php
index a974532e..8dd28a94 100644
--- a/install/updates/froxlor/upgrade_syscp.inc.php
+++ b/install/updates/froxlor/upgrade_syscp.inc.php
@@ -15,6 +15,15 @@
  *
  */
 
+if (!defined('AREA')
+		|| (defined('AREA') && AREA != 'admin')
+		|| !isset($userinfo['loginname'])
+		|| (isset($userinfo['loginname']) && $userinfo['loginname'] == '')
+) {
+	header('Location: ../../../index.php');
+	exit;
+}
+
 $updateto = '0.9-r0';
 $frontend = 'froxlor';
 
diff --git a/install/updatesql.php b/install/updatesql.php
index 7f3a03e5..7b2c612b 100644
--- a/install/updatesql.php
+++ b/install/updatesql.php
@@ -17,6 +17,15 @@
  *
  */
 
+if (!defined('AREA')
+	|| (defined('AREA') && AREA != 'admin')
+	|| !isset($userinfo['loginname'])
+	|| (isset($userinfo['loginname']) && $userinfo['loginname'] == '')
+) {
+	header('Location: ../index.php');
+	exit;
+}
+
 $updatelog = FroxlorLogger::getInstanceOf(array('loginname' => 'updater'));
 
 $updatelogfile = validateUpdateLogFile(makeCorrectFile(dirname(__FILE__).'/update.log'));
diff --git a/lib/functions/output/function.buildNavigation.php b/lib/functions/output/function.buildNavigation.php
index a429b53f..9e9f251a 100644
--- a/lib/functions/output/function.buildNavigation.php
+++ b/lib/functions/output/function.buildNavigation.php
@@ -31,6 +31,14 @@ function buildNavigation($navigation, $userinfo) {
 
 	$returnvalue = '';
 
+	// sanitize user-given input (url-manipulation)
+	if (isset($_GET['page']) && is_array($_GET['page'])) {
+		$_GET['page'] = (string)$_GET['page'][0];
+	}
+	if (isset($_GET['action']) && is_array($_GET['action'])) {
+		$_GET['action'] = (string)$_GET['action'][0];
+	}
+
 	foreach($navigation as $box) {
 		if ((!isset($box['show_element']) || $box['show_element'] === true) &&
 			(!isset($box['required_resources']) || $box['required_resources'] == '' || (isset($userinfo[$box['required_resources']]) && ((int)$userinfo[$box['required_resources']] > 0 || $userinfo[$box['required_resources']] == '-1')))) {