OJS 2.4.8-1 question [update: site hacked via other CMS]


Our OJS 2.4.8-1 site just got hacked.

The effect of the hack was to delete all files/folders from the ojs installation, and replace with a couple of PHP files.

I know that we were a couple of versions behind on the 2.4.8 release, but I’m just wondering if there was a security fix applied in 2.4.8-3, or is there potentially still an open security bug in the 2.4.8 release?

I looked through the 2.4.8-1 to 2.4.8-3 patch file and the changes to the release notes, but couldn’t see anything obvious in the notes.

Obviously we will upgrade, but am just a little nervous of going to 2.4.8-3 if there is still an open issue. We are evaluating upgrading to 3.1, but haven’t fully committed to it yet due to the large changes.

Any help or hints would be greatly appreciated.


The most common cause is that the files directory is a subdirectory of your installation. Meaning that you can access the directory from an address like http://yourserverhere.com/files/.

If this is the case, then you should just move the files directory outside the webroot. See https://github.com/pkp/ojs/blob/master/docs/README#L58

Hi Ajnyga,

Thanks for your reply.

No, that’s not the issue here. The ‘files’ directory is outside of the installation.

Someone was able to upload a php web shell into the ojs web root and then delete all of the files.


do you have something else installed on that same server? In a different folder I mean. All the upload scripts I know point to the files directory or the public directory. With the latter you can only upload things like images (in tinymce).

Of course if the files directory would be accessible you could upload php script and use that to upload other scripts as well also to the ojs root. But since it was not the case here, I am thinking maybe the original script was uploaded using another site/system on the same server? This happened to my once on an university shared server where a hacker had gained access through a vulnerability in an old CMS and was able to hack our site as well on the same server.

Tagging @asmecher here so he does not miss this

Hi Ajnyga,

Thanks again for the reply.

Yes, I think you’re right. After some more digging, it looks like OJS was not the source of the hack. Another old CMS was compromised first, and it was on this shared server (bad idea!).

Sorry for the false alarm. Thanks again,

1 Like

Glad to hear you got it sorted out.