This morning we received info from the official PKP email that informs us about the security issue found on OJS 3.X (before 3.3.0-5).
The security issue was found from the third-party script, to be precise from the Plupload script.
The Plupload is used by OJS (before 3.3.0-5) for handling the upload process. This is have been discussed on the library GitHub page which:
This is the preview of the broadcast that we have received :
Click the image to show the full version
Note this security bug also affected OPS (3.x) and OMP (< 3.3.0.4)
Table of Contents
How this vulnerability can be abused!
To shed a light on this matter, we have tried a simulation on our server to test this alarming matter and we explain recap the steps here :
1. Create an html file on any server
Add the following content to that file:
<body>
<form action="http://someOJSURL.com/lib/pkp/lib/vendor/moxiecode/plupload/examples/upload.php" method="post" enctype="multipart/form-data">
Select image to upload:
<input type="file" name="file" id="fileToUpload">
<input type="submit" value="Upload Image" name="submit">
</form>
</body>
</html>
Save that file
2. Open the file and upload any file
after the hacker has created the file, he can upload any malicious file to that form and after uploading a file to that form and sending it by submitting the form, it will show this response.
The uploaded file will be uploaded in the server’s temporary file location with the additional folder plupload on that temporary folder. If the server does not have any traversal folder protection, then it can access that malicious file and will do anything to your OJS system from accessing the database, injecting some cryptocurrency miner, sending any virus file with a zipped form to any of the users of your OJS, stealing any information from your OJS or use all the information including user data on your server for illegal purpose.
This threat is a very serious issue considering the danger the result is very concerning, we recommend that you immediately upgrade or perform patching actions on your OJS. Keep following this article since we will explain the step for doing such an activity.
How you can fix this issue
To fix this issue, you can do it with two methods.
1. Upgrade your OJS (very recommended)
2. Removing the concerning file.
1. Upgrade OJS to the latest version
Beberapa hari yang lalu (7 Apr 2021), PKP merilis versi baru OJS 3. Yaitu OJS 3.3.0-5, rilis terbaru ini harus memperbaiki kerentanan di atas dan sebagai bonus, Anda juga sudah mendapatkan perbaikan dan penyempurnaan dari OJS versi sebelumnya. Mengupgrade OJS Anda juga melindungi Anda dari masalah yang masih belum diketahui dari versi OJS Anda sebelumnya.
For complete the OJS 3.3.0-5’s Changelog, pay attention to this list :
3.3.0-5 Build
-------------
#6910: Use proper identification when issuing HTTP requests
#6892: View more accessible button label is broken in 3.3
#6888: Ensure Composer dependency test/example code is safe
#6886: crossrefReferenceLinking plugin: consider all references settings
#6879: Site settings not visible for usage statistics plugin when only one context exists
#6873: Saving the Website - Appearance - Setup form auto-focuses on Homepage Image Alt Text field
#6872: Article links broken after update to 3.3.0-4
#6871: Session destruction (and duplicate) warnings in the PHP error log
#6870: SQL logic error in upgrade when using PostgreSQL
#6862: Author name is not localized in How-to-Cite citation
#6757: Supported form locales can be serialized as associative array
You can follow this guide: how to upgrade OJS 3 to help you with detailed instructions for upgrading your OJS. Considering that this upgrade process is urgent we also provide a discount if you need our service for upgrading your OJS with 40% off the initial price on our service for upgrading the OJS 3 version to the latest one. Please use the coupon URGENTUPGRADE (only valid until 21 April 2021).
Access our upgrade service.
2. Removing the concerning file
Saat kami menguji kerentanan pada simulasi di server kami, kami menemukan bahwa hal ini disebabkan oleh file contoh yang ditinggalkan oleh Plupload yang tujuan utamanya adalah membantu pengembang untuk mengimplementasikan perpustakaan pada lingkungan kode mereka. Sayangnya, contoh file ini membuka pintu bagi peretas untuk mengunggah beberapa file berbahaya di server, dan banyak pengembang tidak mengetahui ketersediaan skrip ini.
Although this removing step is not recommended since we believe that by upgrading your OJS you have protected your current live version with various disclosed other vulnerabilities. However, this step is also very important to be done. The step for removing the file is explained here :
Access to your Cpanel / Server
Go to the folder
/yourOJSInstallation/lib/pkp/lib/vendor/moxiecode/plupload/examples
Please find the file in that folder named upload.php and remove it right away!
If you have any code caching such as OPCache on your server, don’t forget to restart your PHP-FPM service.
That’s it, choose which method is right for you and do it now before everything will be late
Before we end this, it is also worth mentioning that you should consider improving the security of your OJS by following this step that we have explained in this dedicated article:
