This morning we received info from the official PKP email that informs us about the security issue found on OJS 3.X (before 3.3.0-5).
The security issue was found from the third-party script, to be precise from the Plupload script.
The Plupload is used by OJS (before 3.3.0-5) for handling the upload process. This is have been discussed on the library GitHub page which can be found here:
This is the preview of the broadcast that we have received :
Click the image to show the full version
Note this security bug also affected OPS (3.x) and OMP (< 3.3.0.4)
Contents
How this vulnerability can be abused!
To shed a light on this matter, we have tried a simulation on our server to test this alarming matter and we explain recap the steps here :
1. Create an html file on any server
Add the following content to that file:
<body>
<form action="http://someOJSURL.com/lib/pkp/lib/vendor/moxiecode/plupload/examples/upload.php" method="post" enctype="multipart/form-data">
Select image to upload:
<input type="file" name="file" id="fileToUpload">
<input type="submit" value="Upload Image" name="submit">
</form>
</body>
</html>
Save that file
2. Open the file and upload any file
after the hacker has created the file, he can upload any malicious file to that form and after uploading a file to that form and sending it by submitting the form, it will show this response.
The uploaded file will be uploaded in the server’s temporary file location with the additional folder plupload on that temporary folder. If the server does not have any traversal folder protection, then it can access that malicious file and will do anything to your OJS system from accessing the database, injecting some cryptocurrency miner, sending any virus file with a zipped form to any of the users of your OJS, stealing any information from your OJS or use all the information including user data on your server for illegal purpose.
This threat is a very serious issue considering the danger the result is very concerning, we recommend that you immediately upgrade or perform patching actions on your OJS. Keep following this article since we will explain the step for doing such an activity.
How you can fix this issue
To fix this issue, you can do it with two methods.
1. Upgrade your OJS (very recommended)
2. Removing the concerning file.
1. Upgrade OJS to the latest version
Just a few days ago (7 Apr 2021), PKP released the new version of OJS 3. It is OJS 3.3.0-5, this latest release has to fix the above vulnerability and as a bonus, you also have got the fix and improvement from the previous version of OJS. Upgrading your OJS also protects you from the still unknown issue from the previous version of your OJS.
For complete the OJS 3.3.0-5’s Changelog, pay attention to this list :
3.3.0-5 Build
-------------
#6910: Use proper identification when issuing HTTP requests
#6892: View more accessible button label is broken in 3.3
#6888: Ensure Composer dependency test/example code is safe
#6886: crossrefReferenceLinking plugin: consider all references settings
#6879: Site settings not visible for usage statistics plugin when only one context exists
#6873: Saving the Website - Appearance - Setup form auto-focuses on Homepage Image Alt Text field
#6872: Article links broken after update to 3.3.0-4
#6871: Session destruction (and duplicate) warnings in the PHP error log
#6870: SQL logic error in upgrade when using PostgreSQL
#6862: Author name is not localized in How-to-Cite citation
#6757: Supported form locales can be serialized as associative array
You can follow this guide: https://openjournaltheme.com/how-to-upgrade-ojs-3 to help you with detailed instructions for upgrading your OJS. Considering that this upgrade process is urgent we also provide a discount if you need our service for upgrading your OJS with 40% off the initial price on our service for upgrading the OJS 3 version to the latest one. Please use the coupon URGENTUPGRADE (only valid until 21 April 2021).
Access our upgrade service here :
https://openjournaltheme.com/ojs-upgrade-services/
2. Removing the concerning file
As we have tested the vulnerability on the simulation in our server, we found out that this is caused by an example file left by the Plupload which is the primary purpose is to help developers for implementing the library on their code environment. Unfortunately, this example file opens a door for hackers to upload some malicious files on the server, and many of the developers are unaware of this script’s availability.
Although this removing step is not recommended since we believe that by upgrading your OJS you have protected your current live version with various disclosed other vulnerabilities. However, this step is also very important to be done. The step for removing the file is explained here :
Access to your Cpanel / Server
Go to the folder
/yourOJSInstallation/lib/pkp/lib/vendor/moxiecode/plupload/examples
Please find the file in that folder named upload.php and remove it right away!
If you have any code caching such as OPCache on your server, don’t forget to restart your PHP-FPM service.
That’s it, choose which method is right for you and do it now before everything will be late
Before we end this, it is also worth mentioning that you should consider improving the security of your OJS by following this step that we have explained in this dedicated article:
https://openjournaltheme.com/how-to-secure-ojs
