Hi Richard,
I have found another privilege escalation but this time using the sourcefilename. When adding "../../" before the actual file name you can store the file in another directory. If you store the file into the web directory you can execute php code by doing a request to the website. After this you can patch runguard and gain root.
Here is the affected line in the source code: Link

Sincerely,
Marlon

Thanks again Marlon. Hopefully fixed now (version 1.6.5).