Please wait for an official answer from the team on this one before changing anything.
But i did test by making a copy of the ow_pluginfiles folder and placing it above the public_html and then defining the folder location inside of the config file.
for example: define('OW_DIR_PLUGINFILES', '/home/username/ow_pluginfiles/');
and it did seem to work. However i have not tested the other folders and this is NOT an official Oxwall remedy so please wait for their reply. I just wanted to share what i tested with you so maybe this might work but ask them first, they are the experts.
Thanks dave
I am not aware of any way to upload anything to a site directory unless you have one of three things:
1. ftp access
2. cpanel access (if using cpanel) or some other panel access.
3. An existing script on the server which allows uploads, such as a image uploader.
Other than that unless they hack your account i am not aware of anyway that anyone can upload anything.
The 777 simply gives the server full access to read, write, and execute, what is already there in those folders.
That is my understanding.
Dave
:)
Guys thanks for the clarification, so .htaccess stops to run php srips in the ow_userfiles, it is fine. But what if somebody embeds or uploads javasript. javascript runs lokally on a clients PC so htacces cannot block it.
Also another question in terms of security, I hope there is a protection that users cannot publish iframes or to emebed them ( except od youtube a similar trusted sources for video
Can restrict the access right for anybody can ride and wirte but not to execute? Would it work ?
As to the iframes you can either restrict using html on users part and you can declare which iframes of which video resources to use. As far as I know all forms on Oxwall will reject input if you use javascript or iframes
I only know of one place right now regarding a form where this is possible and i dont believe it causes any security risk.