Recently we experienced malicious attack to our OJS 2.4.8 version.
We have found 2 type of attacks, one is that they registered as an author and uploaded “hacked by” images to the “Comments to the Author” section in the submission page. Then they took the link (…public/site/images/username/xxx.jpg) and spread as it is hacked. Is this folder (public/site/images/username) accessible to the public ? Can we restrict it by changing the permission or any other alternative ?
Second type was that they uploaded .phtml file, but I could not find any alteration on our site. From (Security issue: Hacking via submission in OJS 2.4.8) thread I understand that problem with the file directory as it is inside the OJS directory. Can we secure it by make it outside the OJS folder?