Had installed and setup pkp ocs 2.3.6 with recommended patches on RHEL 6.8.
Yesterday, we found that, a user created an account and in the bio statement (Edit profile) used the file upload feature and uploaded an image file which contained a message “hacked by xxx”.
As per the standard configuration, the file was uploaded in public/site/images/user directory and though as per my knowledge it is not a hack, but a way to create panic. As public directory is part of web root, if this is shared with people, it will be assumed as though web site running pkp ocs is hacked.
I think the feature of uploading file should be disabled or the file uploaded here should be stored in non-web root directory. But, this may make the image uploaded invisible next time the user tries to see his/her existing profile.
Your recommendations please.