Misuse of feature in PKP OCS 2.3.6

So this fix would prevent someone from parking illegal images on our servers and then pointing to them from elsewhere, but it doesn’t prevent them from uploading a malicious profile image and then writing to a security agency, including a URL like https://my-ojs-domain.org/public/site/images/username/bio_pic.png and saying “See, this site has been hacked!” As I understand it, the technique to disable “image hotlinking” would not prevent https://my-ojs-domain.org/public/site/images/username/bio_pic.png from being accessed.

Hi @kshawkin,

Because the link to the image would be followed from an email client, it would not have a referrer URL set to something within the journal’s domain, and thus the viewer would be directed elsewhere.

Regards,
Alec Smecher
Public Knowledge Project Team

Ah, right, I see. Thanks for the quick replies!

1 Like