Hi,
I find my server with same ‘hack’ uploaded using tyny_mce library.
Without login they can uploads files inside public/site/images/
They used those calls:
POST /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/ci/index.php/upload/%7B HTTP/1.1" 200
POST /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/ci/index.php/upload/english HTTP/1.1" 200
The dir public/site/images is write-able by www-data.
I use OJS 2.4.8
Is it possible to do something ?
Bye
Zeno Tajoli
Hi @ztajoli,
Can you describe the problem more broadly? Are you seeing e.g. malicious script uploads, or unexplained images in the public area, or something else?
Regards,
Alec Smecher
Public Knowledge Project Team
Hi,
I have find unexplained images in the public area with text:
“You are hacked. Allah akbar”.
Hi @ztajoli,
See https://pkp.sfu.ca/2017/04/12/regarding-recent-ojs-defacement-attacks/ for details.
Regards,
Alec Smecher
Public Knowledge Project Team
Hi all! We are soliciting feedback and proposals for hacking claims via image uploads on this Github discussion. Feedback would be welcome.
Regards,
Alec Smecher
Public Knowledge Project Team