Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That bothers me. That should never be necessary.

It looks like they intend everything to be in the webroot, which is a problem in and of itself. Setting everything in the uploads folder to be executable without any .htaccess directives to prevent that seems like a potential issue. If they're not validating images (properly) or sandboxing uploads, or thinking about mitigating directory traversal attacks, then there could be issues with remote code execution.



Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: