Via Mubix I have found this post that describes a new way to upload a web shell to a server.

This method uploads .hta ccess files to change how the server behaves. The nice trick here is that the file itself:

  • Allows the .htaccess files to be displayed
  • Tells Apache that the contents of the .htaccess files must be interpreted by PHP (the file itse lf will be  executed by the PHP interpreter)
  • The last part of the file contains PHP code that will pass commands to the operative system.

As a side note, the author also comments t hat this trick can also be applied to jsp and mod_perl installations.

Some informatio n on securing file uploads, from OWASP.