It's not really a security hole but more of a feature that needs to be disable for people running seedbox companies or just have a ton of idiots on one server...
Problem: In limited shell you can run nano press Ctrl-R then Ctrl-T to open the file browser. You can browser every file on the server.
The fix: Compile nano from source. Installation to fix below