Hi,
After some security tests carried out on my site (developed in OJS 3.1.2), one of the vulnerabilities detected was that SQL injection is possible. One of the URLs given as a sample of the problem is:
https://urlMySyte/index.php/journal/article/download/157/522?inline=2%2F2
How can i solve this problem?
Hi @yusmelvis,
I’m afraid that’s not enough information to go on; if you have more details to share, please send me a private message.
Regards,
Alec Smecher
Public Knowledge Project Team
Hi @asmecher, i wrote you a private message
Hi @yusmelvis,
It looks like the test software changed the inline parameter from 1 to 2%2F2. That parameter is a boolean, so any value other than 0 or false is taken to mean that the file should be delivered inline. There is no SQL injection there (that parameter never goes to the database).
Automatic security testing software can generate a lot of false positives, so we’re happy to review any specific questions you have, but it’ll take a bit of work on your end to sort the potential issues from the false positives.
Thanks,
Alec Smecher
Public Knowledge Project Team