Possible exploit? PKP 2.4.6

Receive security vulnerability notification in the software, but the
documentation states that you already deal with this vulnerability.


Could confirm that there really is the vulnerability?

A total of 4114 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):

/index.php/phyproceedings/article/view/223?locale=c%3A%5Cetc%2Fpasswd HTTP Response 200 

ZAP (Zed Attack Proxy) Scanning Report of SQL Injection (OWASP):


Hi @Andreia,

That doesn’t look like a vulnerability to me. It appears that the scanning tool is entering certain kinds of potentially risky content into query parameters and checking the server’s response code; OJS is responding with a 200 (OK), but that doesn’t mean that the attack vector is viable. OJS is simply discarding the “locale” parameter and continuing on its way.

Alec Smecher
Public Knowledge Project Team