OCS and CSRF risks

Hi, a security scan on OCS reports Cross-site request forgery, CSRF, risks. It means ocs commands could be sent via url belong to other sites, because of ocs doesn’t use random token to verify commands. I was wondering,
(1) Is this an issue confirmed by ocs team?
(2) If answer of (1) is yes, how can I fix it?
Regards, Shawn

Hi @shawnhy,

What version of OCS are you using? Have you done any customizations or custom theming on your site?

Amanda Stevens
Public Knowledge Project Team

Hi @shawnhy,

We haven’t been developing OCS actively for several years now, and in that time security standards have evolved. We’ve added CSRF checks to our current releases of OJS and OMP but have not back-ported that work to OCS.

You can see the code that was added for OJS and OMP here.

We don’t have current plans to back-port this work to OCS but are open to code contributions. The latest news about our broader plans for OCS is here (as of May 2018): OCS Update

Alec Smecher
Public Knowledge Project Team

1 Like