On 10/19/20 3:29 PM, Jaroslaw Rafa wrote: > Dnia 19.10.2020 o godz. 21:12:20 John Fawcett pisze: >> Sorry not to be able to give a definitive answer. Typical mail injection >> via php will use a script that already calls the php mail function or >> similar functions that open the smtp connection. But there are other >> attack vectors that are possible that allow hackers to gain the >> privileges of the web server user. > > Very often hackers abuse web pages that allow users to upload files to the > web server. If the input is not correctly sanitized, it may be possible to > upload an arbitrary php script and get it executed. > > There were multiple attacks based on this scenario.
Can this be mitigated by denying the PHP user write permission on any directory where PHP files will be executed? Demi
OpenPGP_0xB288B55FFF9C22C1.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
