OJS patch list
reference: https://github.com/pkp/pkp-lib/issues/7786
To Reproduce
Steps to reproduce the behavior:
Go to Submissions
Click on New Submission
Enter the required primary article data and click Save and Continue.
Select article component
Upload some *.phtml, *.shtml file or file with extension from mixed register of chars of those extension (evil.pHtMl etc).
If the ill-wisher knows how OJS forms links and filenames, then running the script will not be difficult
What application are you using?
Issue applied to OJS 3.2.1.1 - OJS 3.3.0-10 (it seems to me)
Additional information
While I was troubleshooting the upgrade to 3.3.0-10 today my journal site on 3.2.1.1 got hacked.
Some bastard was able to change my .htaccess file, create files and folders in /uploads/journal, and in /, and replace the main page of the site.
Because he could steal the parameters from the configuration file, I subsequently changed all the passwords indicated there.
⚠️ I think I found a vulnerability...
After checking the code 3.3.0-10, I believe it remained in it too.
I make changes in function parseFileExtension in /lib/pkp/classes/file/FileManager.inc.php
Current (stock):
/**
* Parse the file extension from a filename/path.
* @param $fileName string
* @return string
*/
function parseFileExtension($fileName) {
$fileParts = explode('.', $fileName);
if (is_array($fileParts) && count($fileParts) > 1) {
$fileExtension = $fileParts[count($fileParts) - 1];
}
// FIXME Check for evil
if (!isset($fileExtension) || stristr($fileExtension, 'php') || strlen($fileExtension) > 6 || !preg_match('/^\w+$/', $fileExtension)) {
$fileExtension = 'txt';
}
// consider .tar.gz extension
if (strtolower(substr($fileName, -7)) == '.tar.gz') {
$fileExtension = substr($fileName, -6);
}
return $fileExtension;
}
/**
* Parse the file extension from a filename/path.
* @param $fileName string
* @return string
*/
function parseFileExtension($fileName) {
$fileParts = explode('.', $fileName);
if (is_array($fileParts)) {
$fileExtension = $fileParts[count($fileParts) - 1];
}
// FIXME Check for evil
if (!isset($fileExtension) || !in_array(strtolower($fileExtension), array('tex','rtf','doc','docx','pdf','zip','gz','xls','odf','eps','jpg','png','jpg','jpeg','gif','tiff','ai','rar')) || strlen($fileExtension) > 6 || !preg_match('/^\w+$/', $fileExtension)) {
$fileExtension = 'txt';
}
// consider .tar.gz extension
if (strtolower(substr($fileName, -7)) == '.tar.gz') {
$fileExtension = substr($fileName, -6);
}
return $fileExtension;
}
It works. Now *.phtml goes to *.txt too.
I understand that, perhaps, I could solve the issue at the level of web server settings, and not by editing the code.
But so I determined a list of exactly relatively safe file types to upload to the server.
My decision is clumsy and does not claim to be elegant, but I had to act quickly.
I will wait for the official patch for this problem.
Dear friends, be careful!
P.S.
Forgive me if something awkwardly stated, but I'm still on my nerves from an unexpected situation.
I consider myself lucky that this happened just when I was on the server and was able to notice it fairly quickly.
No comments