-
That could be an issue. So I did notice a weird bug a while back. If someone starts a post and adds attachments and then abandoned the post.
When the next user tries to make a post, those same attachments will auto load.
I didn't report it as I know it probably wouldn't be investigated.
There have been a few spammers around here these days so I'm not sure.
-
my big concerns when seeing this were the following:
- if someone can inject attachments into the post editor, then the aspect that is insecure needs to be discovered,
because it may be possible to exercise privlege escalation and overload php via exec, and then start to traverse and modify the rest of the server,
once it's hacked, its hacked. its hard to fix you have to restore from backups on the back end and it's ugly because code could be hiding ANYWHERE.
- ive been leary of having php exec enabled period from day one, and wonder if una can run without php exec... -
-
that could very well be a caching issue if there is only one instance of phpfpm allowed on the server, and no children or all children are tied up and max servers is set too low, then if the una code doesnt check certain elements it may try to dump the attachments of the abandoned post ,
but there really are about 20 different reasons this could happen.......
Comment to compromised ?
