Today we received from the PKP team. They report that OJS on version 3.2 to 3.3 (before 3.3.0.13) have very critical vulnerabilities.
Here is a copy of their announcement :
Contents
What is the problem?
The first vuln #8307 allows any author to edit any other author on the published content. Let’s say a user is registered as an author by using this vulnerability to replace the author’s name in some published article with him or another person. This can be done without any awareness of the journal editor even by the author itself.
The second one #8299 states that some of the roles can replace or modify the galley on submissions without the acknowledgment of the legitimate owner of the galley.
We say that this is very critical because this issue can disturb the reputation of any journal if someday authors know that there is some change to either their galley or the article that is published as their name in the first release. It also can affect their Google Scholar record, Scopus indexing record, or another indexing record that depends on the name of the author of the article in the mechanism of the impact calculating of any article. Their record on the indexing may get erased.
We highly encourage any journal manager to take this as a serious warning and to take action to upgrade their OJS as soon as possible.
How to fix the problem?
We classify 2 ways to fix this issue
Note :
We are not responsible if the information we provide has an impact on your OJS. Please use this article as information for you and if you do not have the ability to perform the steps described in this tutorial, we strongly recommend leaving the work to your IT team.
Upgrade the OJS to the 3.3.0.13
If you have an OJS version less than 3.3 for example 3.1 or 3.2 version the fix only can cover the patch for issue #8307 as it describes the guide to patching the OJS below 3.3.
However, if your OJS version is less than 3.3 you cannot patch issue #8299 which required OJS 3.3 version.
Patching the OJS
Using the Command line
If your OJS is using version 3.3.X you can easily patch the OJS by using this command (if your server provides a command line) :
- Go to the folder where your OJS application resides
- Run this command
cd /lib/pkp && wget -O - -q https://github.com/pkp/pkp-lib/commit/1987cc5592955ea70426039de9b67d711f8e68bd.diff | patch -p1 && wget -O - -q https://github.com/pkp/pkp-lib/commit/9c997a8.diff | patch -p1The above command will make automatic patching for both of the reported vulnerabilities.
Using the copy, search, and replace the file
If you don’t have any access to the command line in your server, you can download the below file and place it on the correct path :
/lib/pkp/classes/services/PKPAuthorService.inc.php
/lib/pkp/classes/submission/PKPAuthorDAO.inc.php
/lib/pkp/controllers/grid/users/author/AuthorGridHandler.inc.php
/lib/pkp/controllers/grid/users/author/AuthorGridRow.inc.php
/lib/pkp/classes/security/authorization/internal/RepresentationRequiredPolicy.inc.php
/lib/pkp/classes/submission/RepresentationDAO.inc.phpDownload the file package here (select by your OJS version) :
For OJS 3.3.X: here
For OJS 3.2.X: Coming soon
For OJS 3.1.2: not available (not supported by this vulnerability)
If you need more references, read more detail on how to patch OJS in this article.
Need any help? We provide OJS upgrade services or patching services that will be done by a professional team and with a guarantee.
All our OJS hosting clients also get free patches regarding this vulnerability.
