diff --git a/CHANGELOG b/CHANGELOG
index 1ccefa364..4c52b3ab0 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -9,7 +9,7 @@
 - unlinked documents/folders can be moved into root folder
 - take out debug echo statement (Bug #125)
 - fix some errors in notification mails
-- fix some security holes
+- fix some security holes (found by Craig Arendt, Stratum Security)
 - add initial version of REST api
 
 --------------------------------------------------------------------------------
diff --git a/op/op.AddFile2.php b/op/op.AddFile2.php
index 27ca3e58d..9e3397f3a 100644
--- a/op/op.AddFile2.php
+++ b/op/op.AddFile2.php
@@ -42,20 +42,20 @@ if( move_uploaded_file( $source_file_path, $target_file_path ) ) {
 		fclose($fpnew);
 
 		if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
-			echo getMLText("invalid_doc_id");
+			UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 		}
 
 		$documentid = $_POST["documentid"];
 		$document = $dms->getDocument($documentid);
 
 		if (!is_object($document)) {
-			echo getMLText("invalid_doc_id");
+			UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 		}
 
 		$folder = $document->getFolder();
 
 		if ($document->getAccessMode($user) < M_READWRITE) {
-			echo getMLText("access_denied");
+			UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
 		}
 
 		$userfiletmp = $settings->_stagingDir.$fileId;