... The $canUpload doesn't stop you from initiating the code from the URL.
If that is true and the code run when the <?php if ($canUpload) : ?>
statement were false then it would mean that no php if
statements were adhered to. The code (in the <?php if ($canUpload) : ?>
statement) only runs if the user is authorised to do so. Therefore by definition of the code ... a user must be logged in with the login details of user that has the correct authorisation.
... I don't get your beef with someone (not just me) having this issue.....
That's because I have no 'beef' with anyone who has been hacked. And your attempt at questioning my motives does not detract from the value of what I say.
If they had the login id and password, then they could install some addons or other code to do WAY more damage.
Exactly, so that means that it was a security breach in some other area that allowed the hacker to upload files. Because anyone uploading files via the media manager would be authorised to do so because of your settings in Joomla admin.
There are many ways to hack a site and focusing on one aspect without proof ... prevents the real cause from being found. To say 'all hacked sites had Joomla installed therefore Joomla is insecure' ... is like saying 'All horses have tails therefore all animals with tails are horses.
You pick a piece of legitimate code that is for authorised upload and then neglect to see that the code is only run when requested by an authorised user.
If the code can be used by non logged in, non authorised users and you have proof of that ... then you can (by the same knowledge) write the code in a way that only logged in authorised users can upload. And what is more, you would have placed that code in your files.
Also ... if the code you quote is vulnerable then the security moderators would have edited your post to prevent hackers from taking advantage of such knowledge.