This morning we have received info from the official PKP email that informs us about the security issue found on OJS 3.X (before 3.3.0-5).
The security issue found from the third-party script, to be precise from Plupload script.
The Plupload is used by OJS (before 3.3.0-5) for handling the upload process. This is have been discussed on the library GitHub page that can be found here: https://github.com/moxiecode/plupload/issues/1536
This is the preview of the broadcast that we have received :
Note this security bug also affected on OPS (3.x) and OMP (< 220.127.116.11)
How this vulnerability can be abused!
To shed a light for this matter, we have try a simulation on our server to test this alarming matter and we explain recap the steps here :
1. Create a html file on any server
Add this following content to that file:
<body> <form action="http://someOJSURL.com/lib/pkp/lib/vendor/moxiecode/plupload/examples/upload.php" method="post" enctype="multipart/form-data"> Select image to upload: <input type="file" name="file" id="fileToUpload"> <input type="submit" value="Upload Image" name="submit"> </form> </body> </html>
Save that file
2. Open the file and upload any file
after the hacker have created the file, he can upload any malicious file to that form and after uploading a file to that form and send it by submitting the form, it will show this response.
The uploaded file will be uploaded in the server temporary file location with the additional folder plupload on that temporary folder. If the server does not have any traversal folder protection, then he can access that malicious file and will do anything to your OJS system from accessing the database, inject some crypto currency miner, send any virus file with zipped form to any of the user of your OJS, stealing any information from your OJS or use all the information including user data on your server for illegal purpose.
This threat is very important issue considering the threat the result is very concerning, we recommend that you immediately upgrade or perform patching actions on your OJS. Keep following this article since we will explain the step for doing such activity.
How you can fix this issue
To fix this issue, you can do with two method.
1. Upgrade your OJS (very recommended)
2. Removing the concerning file.
1. Upgrade OJS to the latest version
Just a few days ago (7 Apr 2021), PKP has released the new version of OJS 3. It is OJS 3.3.0-5, this latest release has to fix the above vulnerability and as a bonus, you also have got the fix and improvement from the previous version of OJS. Upgrading your OJS also protect you from the still unknown issue from the previous version of your OJS.
For complete the OJS 3.3.0-5’s Changelog, pay attention to this list :
3.3.0-5 Build ------------- #6910: Use proper identification when issuing HTTP requests #6892: View more accessible button label is broken in 3.3 #6888: Ensure Composer dependency test/example code is safe #6886: crossrefReferenceLinking plugin: consider all references settings #6879: Site settings not visible for usage statistics plugin when only one context exists #6873: Saving the Website - Appearance - Setup form auto-focuses on Homepage Image Alt Text field #6872: Article links broken after update to 3.3.0-4 #6871: Session destruction (and duplicate) warnings in the PHP error log #6870: SQL logic error in upgrade when using PostgreSQL #6862: Author name is not localized in How-to-Cite citation #6757: Supported form locales can be serialized as associative array
You can follow this guide: https://openjournaltheme.com/how-to-upgrade-ojs-3 to help you with detailed instructions for upgrading your OJS. Considering that this upgrade process is urgent we also provide a discount if you need our service for upgrading your OJS with 40% off from the initial price on our service for upgrading the OJS 3 version to the latest one. Please use the coupon URGENTUPGRADE (only valid until 21 April 2021).
Access our upgrade service here :
2. Removing the concerning file
As we have tested the vulnerability on the simulation in our server, we found out that this is caused by an example file left by the Plupload which is the main purpose is to help developers for implementing the library on their code environment. Unfortunately, this example file opens a door for hackers to upload some malicious files on the server, and many of the developers unaware of this script’s availability.
Although this removing step is not recommended since we believe that by upgrading your OJS you have protected your current live version with various disclosed other vulnerabilities. However, this step is also very important to be done. The step for removing the file is explained here :
Access to your Cpanel / Server
Go to the folder
Find the file on that folder named upload.php and remove it right away!
If you have any code caching such as OPCache on your server, don’t forget to restart your PHP-FPM service.
That’s it, choose which method right for you and do it now before everything will be late
Before we end this, it is also worth mentioning that you should consider to improve the security of your OJS by following this step that we have explained in this dedicated article: