Security flaw in version 3.1.2.1 0

wandson · May 23, 2020, 9:15pm

This version has a security flaw and is susceptible to Cross Site Scripting attacks. Has this flaw been fixed in the new version?

asmecher · May 24, 2020, 12:21am

Hi @wandson,

Can you be more specific about the flaw? Is this something that has been disclosed publicly, or something that you have found? (If the details after sensitive, please send me a private message.)

Regards,
Alec Smecher
Public Knowledge Project Team

wandson · May 25, 2020, 6:32pm

Hi @asmecher,

In my structure I use version 3.1.2.1 and recently I was the target of a Cross Site Scripting attack. The hacker made a simple attack left an image, that is, his mark.
I received a report from our intelligence stating that OJS has many vulnerabilities.
My server is very safe, even though it was the target of this attack where this hacker exploited this vulnerability of the tool.
This same hacker continues to carry out Cross Site Scripting attacks on various companies and government agencies exploiting this same vulnerability.
So I ask if this could be fixed in the next version.
I’m talking about Brazil here and I apologize for the English.

asmecher · May 25, 2020, 6:51pm

Hi @wandson,

I think you might be talking about this subject: There is any known vulnerability that allows remote file inclusion?

If it is the same, it’s not a vulnerability.

Regards,
Alec Smecher
Public Knowledge Project Team

wandson · May 25, 2020, 7:03pm

If it is not a vulnerability what would it be? A hacker group from Morocco is using this feature to invade several companies and a Brazilian government agency that uses the tool.

asmecher · May 25, 2020, 7:31pm

Hi @wandson,

There is a feature in OJS that allows users to upload images to use in their biographies, abstracts, etc. The so-called hacker is registering an account, using this feature to upload an image, then showing this image as evidence of a hack. This is roughly equivalent to uploading an image to this forum containing a message about hacking. The ability to upload images is intentional in both cases and not a vulnerability.

Regards,
Alec Smecher
Public Knowledge Project

wandson · May 25, 2020, 7:37pm

@asmecher,

I looked at the link you provided and understood. Thanks a lot for the help.

That link, https://pkp.sfu.ca/2017/04/12/regarding-recent-ojs-defacement-attacks/