[OJS 3.3.0.13] OJS Security Issue

Tiziano · May 29, 2024, 7:28am

I wanted to report an issue that we are experiencing with one of our OJS installations, we are receiving attacks and the servicers have provided us with this report where they have identified many such open connections:

ID: 1211967
USER: xxx_user
HOST: localhost
DB: xxxx_db
COMMAND: Prepare
TIME: 2350
STATE: Waiting for table flush
INFO: SELECT * FROM submissions WHERE submission_id = ?
TIME_MS: 2350148.227
STAGE: 0
MAX_STAGE: 0
PROGRESS: 0.000
MEMORY_USED: 102632
MAX_MEMORY_USED: 1337904
EXAMINED_ROWS: 0
QUERY_ID: 791887279
INFO_BINARY: SELECT * FROM submissions WHERE submission_id = ?
TID: 282404

they recommend to verify the site and the correct handling of closing MySQL connections to prevent the issue from recurring, how can I do this? do you have any suggestions to correct this?

thanks.
bye
Tiziano

asmecher · May 29, 2024, 3:16pm

Hi @Tiziano,

I don’t think this is a security issue (or at least it’s not clear without more information). It’s likely that your submissions table is locked due to another operation, and that these queries pile up waiting for it to become available. I’d suggest double-checking that your MySQL server consistently uses InnoDB rather than MyISAM, and see if you can identify the query that caused the table to lock, rather than the ones that were forced to wait for it.

Regards,
Alec Smecher
Public Knowledge Project Team