SQL Injection (Time­Based) in OJS 3.3.0-11

Software Support
1

Hi,
After some security tests carried out on my site (developed in OJS 3.3.0-11), one of the vulnerabilities detected was that SQL injection is possible.
Payload Used: 0’XOR(if(now()=sysdate(),sleep(15),0))XOR’Z

How can i solve this problem?

2

@kunalojs,

Please don’t disclose potential security issues on the public forum; see ojs/SECURITY.md at main · pkp/ojs · GitHub

-Roger
PKP Team

4

See:

Regards,
Alec Smecher
Public Knowledge Project Team

6

I am facing this problem, what can be fixed?
old Code :function getByUsername($username, $allowDisabled = true) {
$result = $this->retrieve(
‘SELECT * FROM users WHERE username = ?’ . ($allowDisabled?‘’:’ AND disabled = 0’),
array($username)
);

	$row = (array) $result->current();
	return $row?$this->_returnUserFromRowWithData($row):null;

}

Replace with code but not worked for me any suggest // function getByUsername($username, $allowDisabled = true) {

	$pdo = new PDO("mysql:host=localhost;dbname=example", "root", "testdb", array(PDO::ATTR_PERSISTENT => true));


	$sql = 'SELECT * FROM users WHERE username = ?' . ($allowDisabled ? '' : ' AND disabled = 0');
 	$stmt = $pdo->prepare($sql);


 	$stmt->bindParam(1, $username, PDO::PARAM_STR);

 	// Execute the query
 	$stmt->execute();


 	$row = $stmt->fetch(PDO::FETCH_ASSOC);

 	
 	$stmt->closeCursor();


	 $pdo = null;

	return $row ? $this->_returnUserFromRowWithData($row) : null;
 }
7

Hi @raju_singh,

It looks like you’re trying to integrate OJS with another system, and I can only provide limited help with that – but can you describe what the modification is supposed to accomplish, and what the current error/problem you’re facing is?

Regards,
Alec Smecher
Public Knowledge Project Team

9

Thank you for reply . I want to use only -_ in username, all other special charactors are to be removed. where chnages please suggest me .

10

Hi @raju_singh,

I see you’ve already posted this as a new topic; it’s not related to this one, so I’ll close this one in favour of the other. In the future, it’s best to choose just a single place to post each question.

Thanks,
Alec Smecher
Public Knowledge Project Team