Hi there! I hope all of you are doing fine. First of all, let me appreciate all the efforts and continuous hard work of PKP team for their outstanding products especially OJS as we are regularly using OJS since 2008 for our two journals: https://annalskemu.org and https://journalofspark.com
Recently, one of our journals (Annals of KEMU) was attacked by a malware and on investigating the files and different data, we came across multiple submissions containing suspicious files into submissions section (.phtml, .pht and .phar) and these scripts are still disturbing the landing page of our journal main website by replacing the index file. The reason of my posting this request is that I think OJS team should do something about allowed file formats to be uploaded within OJS to avoid such malicious scripts or they should find a way to prohibit such formats. It later came to our knowledge through the web search that some of other journals using OJS were affected by same malware. So, if possible, please do consider to either limit the allowed file formats for uploading or incorporate a mechanism to block / disallow executable formats.
Thank you once again and wish all of you best of luck.
Just to add in addition to @mpbraendle’s excellent advice – make sure that the files_dir is not directly web-accessible. This is noted in the installation form, in the configuration file, in the admin documentation, and basically anywhere else you deal with files_dir. Even with the “Control Public Files” plugin installed and preventing .phtml files from being uploaded, if you leave files_dir web accessible, it’ll still be possible for a user to guess URLs to access your journal’s content regardless of whether OJS grants access to it.
We don’t specifically prevent OJS from receiving certain types of files “out of the box” because there may be journals that legitimately want these types to be uploaded. For example, code could be part of a submisison to a journal about computer science. As long as these types of files can’t be directly accessed (and executed) by guessing the URL and circumventing OJS, they are safe.
Regards,
Alec Smecher
Public Knowledge Project Team
Alright. Thanks for the prompt response. I will try with the above said plugin and also the important aspect you mentioned regarding the files directory. Will definitely ensure that this folder is not web accessible…
Unfortunately, files director is inside ojs directory. For some unknown reason, it is there but it should not be. So can you suggest how can I move files director to a safe place and configure it accordingly in config.inc.php
This depends much on your Web server and Web server configuration used.
Of course, the web server process (Apache or whatever) needs to have write access (either as user or group) to the directory and all its subdirectory and files, but other should not have write access.
Example for a Linux system:
OJS root dir = /var/www/virtual/somepathname/htdocs/ojs
OJS files_dir = /var/www/virtual/somepathname/files
Permissions of files_dir
drwxrwxr-x {someuser_or_apacheuser} {apachegroup} files
In addition, the Web server configuration needs to be hardened so that no one can traverse the file system. It’s best to ask the server admin in your organization to set this up correctly.