With 755 set on the static dir and files, is it possible to upload and execute malicious scripts?

Question

Say there's a website and the static dir and files in it are set 755, and there's a public interface to upload any type of file into the dir. The server uses apache with Require all granted set on the dir.

1. Is it possible to upload some dirty script and execute on the server?
2. I reckon this can be exploited to perform XSS. Is that correct?
3. What's the best practice to implement an interface to upload new static files(like pictures) while keeping the site secure?

Answer 1

1/3:
755 basically means that the owner of directory is only user that is allowed to create new files inside that directory.

If the owner of the directory and the web-server/php-server/? runs and that user, then yes it is allowed to create new files and perform changes in general.

Short answer:
The most common way to secure a website is to have a separate user owning the files and directories a, using chmod 755 on directories etc and use SFTP to upload the content.

2:
XSS exploits often to not include needing write access, but manipulating script input variables that maybe are printed out verbatim as is etc.