Security questions

Claude_Sabbah · July 14, 2016, 9:04pm

Hi,

Why does the list of submission numbers, as seen in the File Browser section of the Journal Manager contains holes (only one journal on one OJS installation) ? Eg. #600, #601, #603 appear, but #602 does not exist?
Relatedly, I found some numbers in the file browser which do not correspond to any submission.
The corresponding downloded file has suffix .phtml and the file contains “Captain Crunch Security TeaM”, which could correspond to some hackers. Any idea to avoid such kind of fake submission ?

Best
Claude

asmecher · July 15, 2016, 1:48am

The holes in numbering probably correspond to submissions that were started by the author but never completed. These aren’t accessible to the editors.

The .phtml problems are suspicious. Ensure that your files directory is outside of the web server’s root, or you use a .htaccess file or similar mechanism to prevent direct access to these files via the web server. Also ensure that your file permissions are not 777, as this is always a security risk on a shared server.

Regards,
Alec Smecher
Public Knowledge Project Team