@ztajoli wrote:
Hi,
I find my server with same ‘hack’ uploaded using tyny_mce library.
Without login they can uploads files inside public/site/images/
They used those calls:
POST /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/ci/index.php/upload/%7B HTTP/1.1" 200
POST /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/ci/index.php/upload/english HTTP/1.1" 200The dir public/site/images is write-able by www-data.
I use OJS 2.4.8
Is it possible to do something ?
Bye
Zeno Tajoli
Posts: 4
Participants: 2