File type limits and malicious users

For me, the submission system has many problems, starting with the fact that it does not have file type limit filters and the amount allowed by the author to upload these, the steps to complete a submission should have a time limit and not remain active for as long as the author want without completing, this causes a bug that I have been suffering from for several months, it turns out that there are malicious users who create an account, make a submission and start uploading files compacted with 7-zip with a size less than the maximum that PHP allows, they arrive to upload up to more than 4 GB and remain in the “files/journals/journal_id/id-sudmission” folder that are accessible at any time even if the submission has not been completed, then with a bot made in python they distribute those files on the Internet and have to the OJS site as storage, these uploads are even done with a python bot, I have managed to prevent that bot from working in my 11 journals and I have eliminated most of the SPAM users, but that submission module must have more security, it is a door open to hackers has poor security.


Hi @Sasuke_Chang,

I moved your comments to a separate post so it can be addressed here. I wanted to point out this post here: Limiting uploaded file types - #5 by asmecher, which discusses the allowed uploads plugin that you might want to look into to help with this issue. Also, it might be worth having a look at our administrator’s guide recommendations on configuration: - this may help address some of the issues you’re facing, but if you have additional questions, please let us know.

PKP Team

Thank you very much for taking care of my post and moving it to a more important session to deal with this topic.

As for the Allowed Uploads plugin, I have already tried it and it turns out that it cannot detect if the type of file being uploaded actually matches the extension it has, therefore the attacker would change the extension and continue uploading files (in fact I found in the junk files uploaded some with .doc or .pdf extension that were not and that plugin had not yet been activated)

And most of the recommendations for configuring the site have been configured, except for the clean urls that I am now going to use based on that.

Greetings and thanks once again

Especially make sure that your files directory is outside of the OJS application directory:

Yes, thanks to that it is that the sites have not been hacked, among the things that I have found in the files folder they have put bash code, python, etc. script to escalate privileges and have not been able to

I would like to share a .htaccess configuration that has helped me to prevent python bots from bothering my site:

RewriteEngine On

RewriteCond %{HTTP_USER_AGENT} ^(python) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^.* - [F,L]

RewriteCond %{HTTP_REFERER} ^(python) [N]
RewriteRule ^.* - [F,L]

In this case it only filters the user agents from some python code but you can put more agents like this:

RewriteCond %{HTTP_USER_AGENT} ^(python|blowfish|CatchBot|BecomeBot) [NC,OR]

Those configurations I took from reference in these sites:

1 Like