I’m currently using the latest version of OJS on my cPanel server, which also hosts more than 10 other websites. Due to issues with OJS, I’ve lost access to several of my other sites. An attacker is continuously modifying my code — not only for the OJS site but for all the websites hosted on the same server.
My question to the OJS team is: do you have any solution for this issue? The attacker has altered several .phtml files and injected malicious code, which I’ve reviewed.
I also suggest that the OJS team warn users not to host OJS alongside other websites on the same server, as a security breach in OJS could compromise all other hosted websites as well.
Hi @openaccessjournals,
I’m pretty sure this is caused by your files_dir being inside the web root, and unprotected from direct access. (There are warnings against this on the installation form, in the config.inc.php configuration file, and elsewhere in our documentation.)
First, make sure that you’re protecting your files_dir from direct access, either by moving it outside the web root (preferred) or by protecting it from direct access using a mechanism like .htaccess (also workable, but a little riskier if something happens to the .htaccess file).
Then, if your website has already been backdoored, then you’ll need to review all content in your web root to ensure that there aren’t malicious scripts. This is the same as if a Wordpress or Drupal installation was attacked in a similar way. I’d suggest using tools like diff to compare what’s installed against a stock copy of the same version of the software; there are too many potential places to hide a backdoor for this to be a manual review.
Keeping one application partitioned from another is more of an OS-level question than an OJS question, and will be somewhat server specific (e.g. depending on what PHP SAPI your server has configured). Generally applications can be run under different user accounts, with permissions set to avoid a problem with one affecting the others, but containerization is increasingly a good way to do this.
Regards,
Alec Smecher
Public Knowledge Project Team