We’ve been having issues with people uploading iffy images via OJS’s Edit Profile pages, then providing links to the images on hacking sites. Because of this, our IT Dept. have requested we turn off self-registration altogether. However, journal managers are not happy, as this means that they have to do much of the publication workflows manually. So a bit of a dilemma!
We’ve figured out that we may be able to prevent the uploading of iffy images via the profile pages by:
- deleting the TinyMCE plugin
- commenting out the ‘$user->updateSetting(‘profileImage’, $userSetting);’ line in ProfileForm.inc.php
- commenting out a few lines around ‘{fieldLabel name=“profileImage” key=“user.profile.form.profileImage”}’ in profile.tpl
We’re hoping this strategy will allow us to turn on self-registration once more; but this will only happen if the strategy is full water-tight.
Can anyone confirm whether this strategy will indeed prevent images from being uploaded via the profile page? Or whether there is a better way? We’re also worried about unanticipated side effects, such as plugins that may use the TinyMCE editor.
We are currently on v2.4.8.2, but hope to upgrade to v3.1 soon.
Thanks for any advice.
Hi @bernieh,
As you’ve noted, this is just a profile image upload, not an actual hack (any more than setting your Twitter image to “I Hacked Twitter” would be proof of that). See Regarding Recent OJS Defacement Attacks for a blog post about it.
There’s a work-around documented in the forum that disables the JBImages plugin entirely, removing the ability to upload images in TinyMCE rich text controls. It’s described here: Misuse of feature in PKP OCS 2.3.6 - #4 by asmecher
I don’t think you’ll see unintended consequences with your work-around either.
Regards,
Alec Smecher
Public Knowledge Project Team
Thanks @asmecher, we were able to disable the profile pic download and TinyMCE editor in 2.4.8. But it looks like the TinyMCE Editor in 3.1 is configured differently, so we can’t just copy the 2.4.8 changes over to 3.1.
Can you provide any advice re disabling the image upload function of TinyMCE in 3.1.1 for self-registered users, while still allowing it in Static pages?
Hi @bernieh,
I’ve added instructions for removing JBImages support from OJS/OMP 3.x to the linked post.
Rather than using JBImages for Static Pages, I’d suggest using the Publisher Library (see Setttings > Workflow). There is a checkbox to make resources you upload there public.
Regards,
Alec Smecher
Public Knowledge Project Team
Hi all! We are soliciting feedback and proposals for hacking claims via image uploads on this Github discussion. Feedback would be welcome.
Regards,
Alec Smecher
Public Knowledge Project Team