There is any known vulnerability that allows remote file inclusion?

Hi to all.

I work for the security team of an organization and couple days we had an incident that maybe is related to the OJS. We have a machine that runs a digital magazine and this machine runs OJS 3.1.2. We found an image on the directory “/var/www/html/ojs-3.1.2/public/site/images/zbi”. The image had an log and a statement like “Hacked by …”.

Fortunately no big harm was done, and to access the image someone would need to type the full path to the image in the browser.

I wish I could give more detail but it is not possible due to some nda’s.

I just want to know if there is any vuln that you guys know related to OJS and remote file inclusion.

Thanks in advance.

Hi @Rafa_Oliveira,

The uploaded image isn’t a hack – see for details. We disclose known security problems on the OJS download page, so be sure to watch for entries related to your installation of OJS.

Alec Smecher
Public Knowledge Project Team

Thanks @asmecher!

That seems to be the case.

Best Regards.