Describe the issue or problem
Similar to what was reported in Security Issue: Pdf viewer with strange suffix redirecting to multiple sites, we’ve seen a massive spike in Google Search Console traffic that hijacks the /plugins/generic/pdfJsViewer/pdf.js/web/viewer.html URL, logs a person out of OJS, then redirects to an unrelated and possible villainous site.
This is occurring across several of our OJS instances, all on 3.4.0.8.
Steps I took leading up to the issue
We became aware of this when looking in Google Search Console shows OJS instances that usually get 35,000 impressions and 200 clicks recieving 4.1 million impressions and 71,000 clicks.
What application are you using?
OJS 3.4.0.8
Additional information
If one searches within Google for https://[THE_OJS_URL]/plugins/generic/pdfJsViewer/pdf.js/web/viewer.html, search results appear with linked titles that are not related to, or even in the journals themselves. I’m not sure how the Google index is being loaded with these non-results, but they are there and related to some of the, uh, more adult search terms that we’re seeing in Google Search Console.
I’ve asked Google to remove this specific URL from their index for all of our OJS sites.
Is there a way to only update the pdfJsViewer plugin to stop this from happening, or some other fix? Thanks!
Side note: even on journals where pdfJsViewer is not active, the /plugins/generic/pdfJsViewer/pdf.js/web/viewer.html URL still exists and is accessible. It looks like it defaults to displaying the compressed.tracemonkey-pldi-09.pdf file that’s included in the plugin directory.
Thanks, @asmecher . Can you tell me exactly which version had the fix implemented? It’s not at all clear if there are release notes associated with the smaller point version releases.
We may be able to update to a more recent version of 3.4, though our technical people may have worked out a network-related workaround until 3.5 makes LTS mode, when we’d originally planned to update before this vulnerability from 2024 came back.
(Also, should it be that the /plugins/generic/pdfJsViewer/pdf.js/web/viewer.html URL is still available on OJS even if the related plugin is deactivated?)
I’m not convinced that this is true. It seems that OJS instances with the pdfJsViewer plugin deactivated are vulnerable if a link such as https://[OJS_URL]/plugins/generic/pdfJsViewer/pdf.js/web/viewer.html?file=
Allows a redirect to any URL, not just the OJS logout. Does the file (or the plugin) check to see if the file parameter is a PDF file?
This is being used to juice SEO by causing OJS to appear as though it links to other domains. The mechanism is as follows: someone wanting to boost their site’s search engine ranking plants a link to an OJS installation somewhere that it can be indexed. The link is to the viewer.html file, with file= pointing to the OJS logout script. Using #11242, The OJS logout script redirects the indexer to a 3rd party site.
Once you upgrade to a recent release, OJS will no longer redirect to the 3rd party site, and the mechanism is broken.
The presence of the logout script in the URLs you’re seeing highlights the need for the open redirect in order for the mechanism to work. If the redirect wasn’t needed, you wouldn’t see the logout action being targeted.
Regards,
Alec Smecher
Public Knowledge Project Team