Hi
I am reading the recommendation on putting the “public” folder outside the ojs installation, how is that going to be more secure?
there is still a symbolic link pointing to the new location. I mean as long as apache can reach the file, it should be the same result; right?
Thx
Hi @oah433,
What recommendation is that? Do you have a link?
Regards,
Alec Smecher
Public Knowledge Project Team
https://openjournalsystems.com/open-journal-systems-ojs-hacking-epidemic-solutions/
The url above mentions some steps towards more secured installations quoted below:
What’s Needed
To combat this threat, you need to do 4 things:
1- Only allow the upload of files with safe extensions (such as .doc, .docx, odt, .pdf) and to prohibit the upload of files with server-side executable extensions (such as .phtml, .asp, .php, .rb, .py).
2-Automatically notify Journal contact about any new OJS registration.
3- Install your OJS so that the file directory is NOT a subdirectory of the OJS installation and cannot be accessed directly via the web server.
4- Keep your OJS version up-to-date with the latest upgrades.
More specifically, I am wondering about number-3 above.
Hi @oah433,
That is referring to the files_dir, which is configured in config.inc.php (and entered on the installation form when you install OJS), not the public files directory.
OJS stores the submission files uploaded by authors etc. in the files_dir, and controls access to those files so that only authorized users can access them. If you put that directory inside the web root, however, users can circumvent OJS’s access controls by guessing the URL to those files and downloading them directly. Depending on your server’s configuration, it may also be possible to upload malicious files that can be executed remotely.
Therefore it’s important to keep the files_dir outside the web root, or protect its contents from direct access using a .htaccess file or something similar. This is noted on the installation form, in the Recommended Configuration section of docs/README.md, and elsewhere.
Symlinking your files_dir into your web root is not recommended, as it introduces the same security risks.
The website you referred to above is not affiliated with PKP (or OJS), and may not give reliable advice. For example, it is not necessary to limit the types of uploads or to notify the journal contact of new registrations in order to keep your OJS installation secure. (There are free plugins in the Plugin Gallery to accomplish both of those tasks, however, if you want.)
Regards,
Alec Smecher
Public Knowledge Project Team
Thx a ton, it is all clear now 
I used the upload plugin and things are under control now no “PHAR, PHP” files any more
Regards.
Hi @oah433,
That’s not a complete solution – it’ll prevent malicious .phtml uploads, but your submission files will be downloadable by anyone who can guess the URL. The best solution is to move the files_dir outside the web root and update config.inc.php with the new location.
Regards,
Alec Smecher
Public Knowledge Project Team