This is a security vulnerability

ikram · April 17, 2025, 6:10pm

Hi all,

Today my journal was subject to a cyber attack. My hosting server stopped my website.

lib/pkp/lib/vendor/voku/portable-utf8/src/voku/helper/UTF8.php

It found this file as malware and stopped the site from publishing. I updated the Voku folder from the version I was using and got my page working again.

I wanted to inform you.

asmecher · April 17, 2025, 6:11pm

Hi @ikram,

What version of OJS are you using?
What is the files_dir setting in your config.inc.php configuration file?

Regards,
Alec Smecher
Public Knowledge Project Team

ikram · April 17, 2025, 6:18pm

OJS 3.0.4.7
files_dir = /home/xxx/files

ikram · April 17, 2025, 6:20pm

Sorry, the version was wrong. Correct 3.4.0.7

asmecher · April 17, 2025, 6:55pm

Hi @ikram,

The script you mentioned does not ship with OJS, so it must’ve been installed by a malicious process/user after the OJS installation.

There are a lot of ways that could happen, and it’ll need further investigation on your server. How you do that is a little beyond the scope of the help we provide on this forum, but one place to start might be to look at the file creation date of the malicious script, and correlate that against the access log to see if you can identify a harmful request.

I would also suggest reviewing the set of users who have Journal Manager or Administrator privileges, and check the sessions database table to ensure that any entries for them come from the expected places (e.g. by looking up the IP addresses in a GeoIP database).

If you are able to determine any further details that you think might identify an active vulnerability, please contact me directly via private message or via the email address in our SECURITY.md file.

We are seeing increased activity in automated scans and attacks on out-of-date installations of our software, but we are not aware of any flaws that would allow remote code execution on an up-to-date installation. If you upgraded recently, it is possible that an attacker was able to get journal manager or site administrator access through a known flaw in your old installation before you upgraded. Again, reviewing the user database for unexpected journal managers or site administrators will help identify details.

And finally, all the usual caveats about user accounts apply: if you have a privileged user account with an easy-to-guess username or password, or share account information with other services that might’ve been compromised, that could also provide attack surfaces.

Regards,
Alec Smecher
Public Knowledge Project Team