Possible exploit? PKP 2.4.6

Receive security vulnerability notification in the software, but the
documentation states that you already deal with this vulnerability.

http://pkp.sfu.ca/wiki/index.php/PKP_Frequently_Asked_Questions#How_secure_[..]

Could confirm that there really is the vulnerability?

A total of 4114 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):

/index.php/phyproceedings/article/view/223?locale=c%3A%5Cetc%2Fpasswd HTTP Response 200 

ZAP (Zed Attack Proxy) Scanning Report of SQL Injection (OWASP):

index.php/revista/article/view/revista.10.1/0?locale=pt_BR+AND+1%3D1±-+

Hi @Andreia,

That doesn’t look like a vulnerability to me. It appears that the scanning tool is entering certain kinds of potentially risky content into query parameters and checking the server’s response code; OJS is responding with a 200 (OK), but that doesn’t mean that the attack vector is viable. OJS is simply discarding the “locale” parameter and continuing on its way.

Regards,
Alec Smecher
Public Knowledge Project Team