MB-R091
Public upload and media directories must not contain executable PHP, PHTML, or server-side scripts. Attackers frequently abuse upload flaws to plant web shells, which can lead to payment-page skimming or full store compromise. Enforce web server execution blocking and scan writable public paths for suspicious executable artifacts.
Magento media and upload paths are often writable by the application and publicly reachable. If PHP, PHTML, or other executable server-side files can run from these directories, an upload flaw can become remote code execution.
Blocking execution in writable public paths reduces the chance that an attacker can plant a web shell and use it to modify checkout, steal secrets, or skim payment pages.
find pub/media var -type f \( -iname "*.php" -o -iname "*.phtml" -o -iname "*.phar" \) 2>/dev/null
# Nginx/Apache should deny PHP execution in pub/media and upload directories
pub/media/catalog/tmp/shell.php
# PHP file present in public upload path → FAIL
location ~* ^/media/.*\.php$ { deny all; }
# Execution blocked → PASS