Circling around back to this as just this weekend someone upload a PHP file using the file upload form. The contents of this PHP file were benign...it was a simple "Hello World" exmple. My fear is that if someone is able to access this file outside of the normal environment that they will move on to trying to upload malicious PHP files.
This really should be a no-braniner. Especially with the trouble we had back in 2020. Fortunatly we haven't had that issue since then, but I feel like it is only a matter of time before this happens again.
I hasn't actually tested this but assumed by default the upload box would restricted to a few options. This should be a pretty high priority to avoid a pretty serious security problem
I opened a ticket on this back on June 16, 2020. It caused a huge headache for us when someone uploaded a phishing HTML document. It wasn't even accessible to anybody, and we still got flagged by Google as a "bad user". We had emails fail to come in or out, and when someone visited a website that ended in our domain name it presented a warning page indicating that we hosted malware/phishing sites. It took 4 days to clear it all up with Google before we were fully operational again.
I was told then that this was an active feature request. The last reply on my ticket was June 7, 2021 that it was still active but no update on when it would be implemented.
Circling around back to this as just this weekend someone upload a PHP file using the file upload form. The contents of this PHP file were benign...it was a simple "Hello World" exmple. My fear is that if someone is able to access this file outside of the normal environment that they will move on to trying to upload malicious PHP files.
This really should be a no-braniner. Especially with the trouble we had back in 2020. Fortunatly we haven't had that issue since then, but I feel like it is only a matter of time before this happens again.
Please make this a priority.
I opened a ticket on this back on June 16, 2020. It caused a huge headache for us when someone uploaded a phishing HTML document. It wasn't even accessible to anybody, and we still got flagged by Google as a "bad user". We had emails fail to come in or out, and when someone visited a website that ended in our domain name it presented a warning page indicating that we hosted malware/phishing sites. It took 4 days to clear it all up with Google before we were fully operational again.
I was told then that this was an active feature request. The last reply on my ticket was June 7, 2021 that it was still active but no update on when it would be implemented.