Need help for hacking problem in OJS

Hello,

We use OJS 3.1.2-4. We need some help. We have just discovered that our OJS application has been hacked.
An account has been created in the application: hojs.
In OJS, there is an “images” public folder in which images deposited by users via the application are stored:
[$OJS_HOME]/public/site/images/

We don’t know yet how, but a user who had just created his account managed to deposit “prohibited” images in his account folder:
[$OJS_HOME]/public/site/images/hojs

It is in this directory that the user has deposited “prohibited” images which were accessible at the following URL by every body in the world:
https://url_journal/public/site/images/hojs/prohibited_image.gif

We had a security alert and we had to close the website hosted by OJS.

Have you ever encountered this problem and do you know how to prevent it from happening?

Thanks in advance for your answer.
Best regards.
Helene

hello @hcl

Hi @juanito,
Thanks for the link. I hadn’t seen this critical issue.

To @asmecher,
To be sure I understand correctly, if I pass the patch on version 3.1.2-4, this will remove the upload button on the tinyMCE plugin.

In OJS 3.2, there is an upload feature that doesn’t rely on JBimages.
Registered users with a role of reader, author or reviewer that he can assign himself will they still be able to upload any image in their profile contact for example ?

How can we prevent to upload any image in directory [OJS_HOME]/public/site/images/[OJS_LOGIN]/ which is accessible to the whole world with an URL like:
https://url_journal/public/site/images/[OJS_LOGIN]/prohibited_image.gif

Can we add a moderator role when a user is registered or a limited access to this public directory ?

Thanks again for your help.
Kind regards.
Helene

1 Like

Hi @hcl,

Starting with OJS 3.2.0, you can set the following configuration variable to disable uploading to the public area:

[files]
public_user_dir_size = 0

This setting is the number of kilobytes each user is allowed to store; setting it to 0 prevents any upload.

Note that claims to have hacked the site by uploading an image are false. The image upload feature is an intentional feature allowing images to be uploaded in user profiles, abstracts, etc. Claiming it as a hack is analogous to setting your profile image on Twitter to an image claiming to have hacked Twitter.

Regards,
Alec Smecher
Public Knowledge Project Team

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher,

Thanks for your answer.

Kind regards.
Helene

Hi @hcl,

I’ve just been reminded about this plugin, which is also useful in controlling which users can upload public files: GitHub - pkp/controlPublicFiles: An OJS and OMP plugin to limit who can upload public files and what kind of files they can upload.

It’s available in the Plugin Gallery for compatible versions of PKP software.

Thanks,
Alec Smecher
Public Knowledge Project Team

1 Like

Hi @asmecher,

It seems to be an interesting and useful plugin.
Thanks for your suggestion.

What we did for now, is that uploaded images are only accessible in OJS and are not accessible directly from this type of URL:
https://url_journal/public/site/images/[OJS_LOGIN]/image.png
via the following apache directive:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^https://url_journal [NC]
RewriteCond %{REQUEST_URI} ^/public/site/images/.*$ [NC]
RewriteRule . - [F]

This does not prevent a user from uploading images, but their visibility remains more limited.

We are also thinking of other controls on users who register. We believe that a user whose origin is known will be less likely to upload unauthorized images and in general to do unauthorized things. Meanwhile, we deactivated user registration.

When users register themselves in the journal, we would like journal managers to be able to validate their registrations with an additional moderation step so that journals can more closely monitor the origin of their presumed users.
We are going to specify this request in another thread.

Thanks again about your concern.

Kind regards.
Helene

1 Like