Scanning OMP 3.3.0.20 with ZAP Proxy we get a potential Path Traversal vulnerability at these URLs:
If that vulnerability real? Thank you.
Scanning OMP 3.3.0.20 with ZAP Proxy we get a potential Path Traversal vulnerability at these URLs:
If that vulnerability real? Thank you.
Hi @pchamorro,
That’s a false positive; URLs into OJS after the index.php
part are virtual (i.e. they do not actually exist in the filesystem).
I think you’ll need to investigate these a little more before posting them, as it’s likely to flood the forum with false positives, and these take time to read and verify. Our experience with these 3rd party assessment tools is that they cost a lot of effort without providing a lot of benefit.
If you do find a security issue, it’s best to report it following our security guidelines:
https://github.com/pkp/ojs/blob/main/SECURITY.md
That way an actual issue doesn’t get disclosed to the public before we’ve had a chance to correct it.
Regards,
Alec Smecher
Public Knowledge Project Team
Hi Alec,
Thank you very much for the answer. I followed the PKP security guidelines. I sent several emails to that address but no answer (one on Jan 7th, and another on Jan 10th). So my last resort was to post them here, sorry, because we need to enable our OJS/OMP server for external users. Last year I sent another ZAP report and I did receive answers but not this time. With your answer I have my OMP server ready for production. But about my OJS server I have 2 alerts that I would appreciate your help. Could I contact to you by email or what could I do? And by the way, I tried to investigate a little more but my knowledge is limited. I also was trying to reproduce some of the vulnerabilities reported using other security tools but I was unable to do that because I’m not a developer, or surely because they are false-positives. Than you.
Hi @pchamorro,
Hmm, I’ll check what happened with that email address – stay tuned.
Thanks,
Alec Smecher
Public Knowledge Project Team
This topic was automatically closed after 10 days. New replies are no longer allowed.