This CVE have been published in official MITRE site : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56525
In recent months, many OJS/PKP Platform sites have suffered from the judol ojs hack (judi online), online gaming hack or OJS betting site hacks, or gambling site hacks. The site redirects automatically to the phishing site that shows online gambling site. This will ruin the credibility of the journal. This is outcry by many journal editor that has been using general platform but use for OJS hosting that lead to defacement of journal site to judi online or redirect the journal site to betting site.
However, a critical vulnerability has been identified in versions before 3.3.0.21 (this is an expected version, as currently the patched version is still not available), specifically related to the handling of User-XML data. This vulnerability that may lead OJS betting site hack exposes the systems to potential exploitation, allowing malicious actors to execute fatal attacks that could compromise the integrity, confidentiality, and availability of the platform.
This article details the nature of the vulnerability, its potential impact, and the steps necessary to mitigate the risk. By raising awareness of this issue, we aim to assist administrators and developers in securing their systems and preventing potential breaches. This is crucial for protecting your OJS site from OJS betting site hack or other attempt to make any breach to your server.
We recognize that an increasing number of journals are falling victim to security breaches. There is a significant incentive for “street hackers” to exploit and sell backdoor access to academic domains. In response to the growing number of threats targeting journals, we have developed Guardian AI and OJT Advanced Security. The tools that are in-house and built by our expert team cannot be found in another hosting service. These advanced, exclusive security solutions are designed to protect our clients, whether they are using our Support Service or Managed Hosting Service.
If your journal requires enhanced care—including additional security tools, expert support to manage surges in journal traffic, and daily backups—our service is here to meet those needs. Consider leveraging our solutions to ensure your journal is fully protected and operates seamlessly.
As we handle managed OJS/OMP hosting and providing support services globally, new threats may come without warning and remain unknown by the PKP itself. To provide the high commitment for us to provide high-quality service to our clients, our team should proactively utilize our monitoring system for early detection of new threat.
As previously we have found a CRITICAL vulnerability that allows a hacker to gain access as admin by enrolling author roles in OJS, this time we have found another one as the journal editor can escalate his/her role to super administrator with a very creative approach.
Table of Contents
How we found this vulnerability
Thanks to the availability of our expert team and the tool that we have we called OJT Guardian and OJT Advanced Security (OJT Plugin) in our managed hosting and support service. The tools send us an early warning about the new malicious activity in our client OJS, then it will help us to do a deeper analysis of the activity log of the system to gain more information
With coordination with our team we found these step that are taken by the hacker :
1. Login as real user in the OJS
By using activity log in web server we found this log :
156.146.57.120 - - [09/Dec/2024:18:48:05 +0700] "GET /journalName/login HTTP/1.1" 200 10684 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"As you can see on below log, the hacker is not doing any brute force activity, he can logged in flawlessly without detecting that this login activity is maliciouis
156.146.57.120 - - [09/Dec/2024:18:48:42 +0700] "GET /journalName/management/tools HTTP/1.1" 200 4287 "https://example.com/journalName/submissions" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"After logging in which that the user has roles as “Journal Editor”, hacker then access the tools in OJS to import a new user using User-XML import tool
156.146.57.120 - - [09/Dec/2024:18:48:43 +0700] "GET /JPERPUS/management/importexport?_=1733744921689 HTTP/1.1" 200 763 "https://e-journal.example.ac.id/journalName/management/tools" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"<br>
156.146.57.120 - - [09/Dec/2024:18:48:56 +0700] "GET /JPERPUS/management/importexport/plugin/UserImportExportPlugin HTTP/1.1" 200 5568 "https://example.com/journalName/management/tools" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"<br>
156.146.57.120 - - [09/Dec/2024:18:49:05 +0700] "POST /journalName/management/importexport/plugin/UserImportExportPlugin/uploadImportXML HTTP/1.1" 200 104 "https://example.com/journalName/management/importexport/plugin/UserImportExportPlugin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"<br>
156.146.57.120 - - [09/Dec/2024:18:49:10 +0700] "POST /JPERPUS/management/importexport/plugin/UserImportExportPlugin/importBounce HTTP/1.1" 200 243 "https://e-example.com/journalName/management/importexport/plugin/UserImportExportPlugin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"<br>
156.146.57.120 - - [09/Dec/2024:18:49:11 +0700] "GET ....2. Creating user of Admin Role using the User XML Import tools
After successfully importing the user, the hacker accessed the user & roles page and performed a “login as” action on the user with the ID 112334, which had been successfully imported earlier.
156.146.57.120 - - [09/Dec/2024:18:49:17 +0700] "GET /journalName/management/settings/access HTTP/1.1" 200 5067 "https://example.com/journalName/stats/users/users" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"<br>
156.146.57.120 - - [09/Dec/2024:18:49:25 +0700] "GET /journalName/login/signInAsUser/112334 HTTP/1.1" 302 5 "https://example.com/journalName/management/settings/access" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"After further investigation, it was found that the user with ID 112334 had been assigned the roles of Journal Manager (role_id 16) and Admin (role_id 1). This is found when we run a SQL query to see the impact of this activity.
Because the user had administrative privileges, they were able to upload plugins. The hacker can access a feature that can upload a plugin containing a shell, which allows them to gain access to the server through the website interface.
3. Uploading a malicious backdoor using plugin upload
The common objective of the majority of hackers, after escalating their privileges, is to gain full access to the server. This is akin to a hungry lion relentlessly pursuing its prey, such as a deer, driven by the singular goal of achieving complete control over the target system.
Thank our early system – OJT Advanced Security will track any unusual activity in any of our client domains. we found on our system that there is a file that is uploaded to the system with the file name of “pdfViewer” or “ScopusIndexing“. Neither of the plugins is known by our team as a regular plugin, and so we decided that there is something malicious that is being done to the client OJS.
This also available in the Activity Log of web server :
156.146.57.120 - - [09/Dec/2024:18:49:32 +0700] "GET /journalExample/$$$call$$$/grid/plugins/plugin-gallery-grid/fetch-grid?<em>=1733744968202 HTTP/1.1" 200 11148 "https://example.com/journalExample/management/settings/website" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" 156.146.57.120 - - [09/Dec/2024:18:49:38 +0700] "GET /journalExample/$$$call$$$/grid/settings/plugins/settings-plugin-grid/upload-plugin?</em>=1733744968204 HTTP/1.1" 200 1241 "https://example.com/journalExample/management/settings/website" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"<br>156.146.57.120 - - [09/Dec/2024:18:49:42 +0700]
"POST /journalExample/$$$call$$$/grid/settings/plugins/settings-plugin-grid/upload-plugin-file?function=upload HTTP/1.1" 200 104 "https://example.com/journalExample/management/settings/website" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"<br>156.146.57.120 - - [09/Dec/2024:18:49:44 +0700] "POST /journalExample/$$$call$$$/grid/settings/plugins/settings-plugin-grid/save-upload-plugin?function=upload&category=&plugin= HTTP/1.1" 200 103 "https://example.com/journalExample/management/settings/website" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"After we found the issue, our team then took the necessary action to remove the user and improve our tool, Guardian AI, by adding detection and blocking such unusual activity. Thanks to our early system that we have included as feature in Guardian AI, as it notify us and quarantine suspicious file using our AI detecting system. Those plugins are a Trojan horse that are uploaded to distinguish with very interesting name “PdfViewer” and “ScopusIndexing” and cannot be detected by the naked eyes that this plugin actually backdoor that is abused by hackers as a backdoor to inject any script to put backlink to betting site or online gambling site hack.
In another case, as this kind of activity easily gets blocked by our server tool (OJT Guardian) hackers then in their desperation try to add a backlink to the gambling site (judol – judi online) in the text editor content such as “About journal”, “Journal Description” and other. This illegal activity of course this also get blocked by our plugin OJT Advanced Security which blocks any attempt to add backlink.
So what is the cause of this ?
However, as we are aware that hackers can access OJS without any hurdles by using valid credentials, it raises the question: how do hackers obtain these valid credentials? There are several possible reasons why a hacker might have gained access to this user:
- Weak or Guessable Passwords: The user may have used a password that is easy to guess or crack, such as common words, simple patterns, or default passwords.
- Data Breaches and Leaks: The user’s credentials might have been exposed in a data breach or leak on another platform. These credentials can be checked on websites like Have I Been Pwned.
- Password Reuse: The user may have reused the same password across multiple accounts, making it easier for hackers to gain access if one of those accounts is compromised.
- Phishing Attacks: The user could have fallen victim to a phishing attack, where they unknowingly provided their credentials to a malicious actor.
- Insider Threats: In some cases, valid credentials may be obtained through insider threats, where someone with legitimate access shares or misuses their credentials.
- Unsecured Networks: If the user logged in over an unsecured or public network, their credentials could have been intercepted.
So, although you are using the latest version of OJS, there is still a chance of being hacked. To address this, we have equipped OJS Advanced Security with a smart Two-Way Authentication (2FA) system. This system ensures that any unusual activity will trigger a requirement for the user to log in again with email validation. By implementing this method, not all users are burdened with additional login steps. Only users exhibiting suspicious behavior will be prompted to complete the 2FA process. This approach balances security and usability, providing robust protection without unnecessarily complicating the login experience for legitimate users.
The most critical issue at the moment is that even the latest versions of OJS, specifically 3.3.0.20 and 3.4.0-8, remain unsafe and still contain this security vulnerability. As a result, manual patching is necessary to prevent malicious attempts by hackers from exploiting this security hole. Without these manual fixes, the system remains at risk, highlighting the importance of taking immediate action to secure your OJS installation.
How you can fix this issue ?
On our infrastructure, we are getting much help with our exclusive tool for protecting our clients using our exclusive and in-house AI tool called Guardian AI and OJT Advanced Security, so for all of our clients using our support service or managed OJS hosting service, nothing needs to be done as both of this protection tools are included in those service. However, we suggest that you to upgrade your OJS to the latest stream 3.3 or 3.4 After you have upgraded, you also need to patch your OJS with this patch link :
https://github.com/pkp/pkp-lib/issues/10738
For information on how to patch you can follow our tutorial here :
Please note that the patching should be done by an experienced personnel. We don’t take any responsibility if the patching result may make your OJS unstable.
Faq
Is upgrading OJS to the 3.4 or the latest version fix this issue?
Answer :
No, the fix will be released for 3.3.0-21 and 3.5. Upgrading to the current latest won’t fix this vulnerability.
Can Cloudflare (CF) protect us from this breach?
Answer :
Absolutely not, as CF only have protection for common attack such as common SQL Injection, some DDOS attack and other common attack. As the hacker abuse the vulnerability that is specific to OJS, CF fails to protect and identify this as legitimate workflow or traffic.
Need our team to handle your server and OJS security contact us here now before it is too late!
Subscribe to our newsletter for getting information like we have share in this article.
