Critical Vulnerabilities on OJS 3.2, 3.3 version

Today we received from the PKP team. They report that OJS on version 3.2 to 3.3 (before 3.3.0.13) have very critical vulnerabilities.

Here is a copy of their announcement :

What is the problem?

The first vuln #8307 allows any author to edit any other author on the published content. Let’s say a user is registered as an author by using this vulnerability to replace the author’s name in some published article with him or another person. This can be done without any awareness of the journal editor even by the author itself.

The second one #8299 states that some of the roles can replace or modify the galley on submissions without the acknowledgment of the legitimate owner of the galley.

We say that this is very critical because this issue can disturb the reputation of any journal if someday authors know that there is some change to either their galley or the article that is published as their name in the first release. It also can affect their Google Scholar record, Scopus indexing record, or another indexing record that depends on the name of the author of the article in the mechanism of the impact calculating of any article. Their record on the indexing may get erased.

We highly encourage any journal manager to take this as a serious warning and to take action to upgrade their OJS as soon as possible.

How to fix the problem?

We classify 2 ways to fix this issue


Note :

We are not responsible if the information we provide has an impact on your OJS. Please use this article as information for you and if you do not have the ability to perform the steps described in this tutorial, we strongly recommend leaving the work to your IT team.


Upgrade the OJS to the 3.3.0.13

If you have an OJS version less than 3.3 for example 3.1 or 3.2 version the fix only can cover the patch for issue #8307 as it describes the guide to patching the OJS below 3.3.

However, if your OJS version is less than 3.3 you cannot patch issue #8299 which required OJS 3.3 version.

Patching the OJS

Using the Command line

If your OJS is using version 3.3.X you can easily patch the OJS by using this command (if your server provides a command line) :

  1. Go to the folder where your OJS application resides
  2. Run this command
cd /lib/pkp && wget -O - -q https://github.com/pkp/pkp-lib/commit/1987cc5592955ea70426039de9b67d711f8e68bd.diff | patch -p1 && wget -O - -q https://github.com/pkp/pkp-lib/commit/9c997a8.diff | patch -p1

The above command will make automatic patching for both of the reported vulnerabilities.

Using the copy, search, and replace the file

If you don’t have any access to the command line in your server, you can download the below file and place it on the correct path :

 /lib/pkp/classes/services/PKPAuthorService.inc.php
 /lib/pkp/classes/submission/PKPAuthorDAO.inc.php
 /lib/pkp/controllers/grid/users/author/AuthorGridHandler.inc.php
 /lib/pkp/controllers/grid/users/author/AuthorGridRow.inc.php
 /lib/pkp/classes/security/authorization/internal/RepresentationRequiredPolicy.inc.php
 /lib/pkp/classes/submission/RepresentationDAO.inc.php

Download the file package here (select by your OJS version) :
For OJS 3.3.X: here
For OJS 3.2.X: Coming soon
For OJS 3.1.2: not available (not supported by this vulnerability)

If you need more references, read more detail on how to patch OJS in this article.

Need any help? We provide OJS upgrade services or patching services that will be done by a professional team and with a guarantee.
All our OJS hosting clients also get free patches regarding this vulnerability.

Tags :
About the Author
user-avatar

Project Manager

Hendra here, I love writing about OJS and share knowledge about OJS. My passion is about OJS, OMP platform and doing some research on creating innovated products for that platform to help publisher to improve their publication.

Leave a Comment

Your email address will not be published. Required fields are marked *

Openjournaltheme.com started in 2016 by a passionate team that focused to provide affordable OJS, OMP,  OPS,  Dspace, Eprints products and services. Our mission to help publishers to be more focus on their content research rather than tackled by many technical OJS issues.

Under the legal company name :
Inovasi Informatik Sinergi Inc.

Secure Payment :

All the client’s financial account data is stored in the respective third-party site (such as Paypal, Wise and Direct Payment).
*Payment on Credit card can be done by request
Your financial account is guaranteed protection. We never keep any of the clients’ financial data.