it's possible to make malicious code, rename the file to a picture-extension and upload it to an server and execute the code if the system isn't safe enough.
But if you deactivate uploading-feature you will be safe from that type of attacks..or will you?
I'm just wondering if an attacker upload the malicious code to another server or a free image hosting for instance, and then go to your site, registering, includes this "picture" to his/her signature and makes some posts in the forum or any other module where the signature will be included..
if you also have cache enabled for that module where the posts with his/her malicious file in the signature was included, is it possible that the server may be in risk in this way then? Just asking, since the cache-folder has to be chmoded 777 and the content maybe is saved in the cache-folder on the server.
Can s/he execute the code if it's done in this way?

Best Regards,
Bananadude

Even if they did execute, the only reminents on your server are a ghost, a cc. The free host would be the victim, or atleast thats what i have come to understand. I think that this is a decent question as far as security goes. So consider this a long winded bump.

But if the attacker is not only placing a link to view the "image", it's been included in his/her signature/post/whatever.
Wouldn't that code be saved in the xoops-cache (if enabled) and serving a possible threat then?

TBH im not sure. If it were that easy to impose and threaten servers you would think it would have been done by now.

Maybe, maybe not. I don't know, thats why I'm asking, but thank you very much for your reply

Best Regards,
Bananadude