Tiny MCE/ Justboil.me vulnerability

Hi

Our IT support for our OJS journals at tuwhera.aut.ac.nz reported a hack allowing images to be uploaded to all of our OJS instances (all OJS 3x) via the justboil.me plugin (TinyMCE) exploit:
https://packetstormsecurity.com/files/151677/TinyMCE-JBimages-3.x-JustBoilMe-Arbitrary-File-Upload.html

Our sites have been taken off external networks while a solution is sought.
Can you please advise whether there is a patch or solution to this vulnerability?

Many thanks

1 Like

Hi @LuqmanH,

I’ve filed this at https://github.com/pkp/pkp-lib/issues/5871 and will post information about patches shortly. In the meantime the quickest solution that won’t take down your site is to remove plugins/generic/tinymce/plugins/justboil.me and all of its contents.

Note that this does not affect OJS and OMP 3.2.0 and newer, or any release of OPS; the justboil.me TinyMCE plugin is not included in these releases.

Regards,
Alec Smecher
Public Knowledge Project Team

1 Like

Thanks @asmecher That’s great.
Yes, we are going to disable the plugin for now. We had to put all our upgrades on hold while in COVID19 lockdown so we’ve not made it to 3.2. Is there a replacement image upload plugin in that release?

Hi @LuqmanH,

Yes, there’s a replacement for for justboil.me in 3.2.0 and newer – see https://github.com/pkp/pkp-lib/issues/4890.

Regards,
Alec Smecher
Public Knowledge Project Team

1 Like

Hi @asmecher,

I’ve managed the security issue from this instruction: https://github.com/pkp/pkp-lib/issues/5871 in my 3.1.2-1 OJS installations. Now I can’t upload an image. We don’t have financial support to upgrade to 3.2x for now and I wanted to ask is there any possibility to upload images in another way?

Best regards
Dorota

Perhaps a solution, while not updating the version of OJS, is to publish images in the Publisher Library:
https://docs.pkp.sfu.ca/learning-ojs/en/settings-workflow#publisher-library

Hi @doridek,

The changes that are already included in OJS 3.2.x can be applied to version 3.1.2 using the patches linked here: https://github.com/pkp/pkp-lib/issues/5871#issuecomment-636883975

Regards,
Alec Smecher
Public Knowledge Project Team

Thank you @asmecher,

I’ve read the information about patches (https://github.com/pkp/pkp-lib/pull/5888/files) but honestly I don’t know what to do with them. Correct me if I am wrong:

I have an OJS 3.1.2-1 version.

  1. I created a file: PKPUploadPublicFileHandler.inc.php an put it in the [api/v1/_uploadPublicFile/] directory.

  2. I should make changes in two files: classes/template/PKPTemplateManager.inc.php and js/controllers/SiteHandler.js

But I don’t have such files in my OJS installation directories.

Sorry for such question but my adventure with OJS and GitHub is still quite fresh…

Best regards
Dorota

Hi @doridek,

The files in step 2 of your post above can be found in the lib/pkp subdirectory.

Regards,
Alec Smecher
Public Knowledge Project Team

@asmecher - thank you very much! That worked and now I have the “image upload” button.

But still I have another problem:

I have applied the changes described in #5888 and pkp/ojs#2755 for 3 of our journals. In one case after choosing “upload” I can choose the file and it looks like it is uploading but after a while nothing hapens. I other 2 journals the image is constantly uploading:
image_upload

Where should I look for a solution? My OJS is 3.1.2-1

Best regards
Dorota

Hi @doridek,

I would suggest checking your PHP error log, your browser’s error console, and the file permissions in the public directory (specifically where OJS will be trying to upload the image – see successfully-uploaded images for the pattern).

Regards,
Alec Smecher
Public Knowledge Project Team

@asmecher

Is there direction for making this change on OJS 2.4. 8?

I have patched OJS file manually in the past with no issue, but now, I cannot tell what files needs to be patched for this justboil me.

I looked at the gitbub link referenced above and downloaded the patch file for the version of OJS I am using. When I opened it, it is just black text and does not show any highlight for the lines that need to be removed.

Usually, in the past, I can see the affected lines highlighted on github.com as well as see it in the editor I use. Take a look at this page, it shows what needs to be removed and added. Is there something like that for jbimages? https://github.com/pkp/pkp-lib/commit/fd985570357049a986aeb8d33652092fbe5b88e2

I have removed the plugin jbimages.

How do I remove all instances of jbimages in OJS 2.4.8?

Or anyone else that can help, would be greatly appreciated.

Newone

Hi @newone,

Patch files are designed to be applied by the GNU patch tool, rather than read and applied manually. However, most programmer’s text editors know how to do syntax highlighting on patch files, so you might try opening that file in another editor. (I use vim, which does highlight patch files.)

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher

I am not a programmer, I don’t have access to any of the tools mentioned, and vi is for unix systems. I patch manually by editing the lines in the file. I have windows and use Notepad++.

Is this the link for OJS 2.4.8? https://github.com/pkp/pkp-lib/files/4626180/ojs-2.4.8-5.diff.txt

When I opened the file, it does not show any highlighted changes. Many lines show -|. On github, you can see what line should be removed and added, like 223 and 224: https://github.com/pkp/pkp-lib/commit/fd985570357049a986aeb8d33652092fbe5b88e2

My question is that the current patch does not indicate what needs to be removed.

Will deleting the plugin fix this issue?

Thanks

Hi @newone,

You might be able to get Notepad++ to appropriately highlight the file by giving it a .diff or .patch suffix, rather than .txt.

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher ,

Will deleting the plugin fix this issue?

Hi @newone,

That’s what the patch file does, when you apply it. If you make the same changes that are described in the patch file, it will remove the plugin and anything that refers to it.

Regards,
Alec Smecher
Public Knowledge Project Team

Thanks @asmecher

I had already deleted the plugin folder much earlier.

Is there a way to remove all the other references of the plugin?

Hi @newone,

Yes, either apply the patch (manually as you’ve done before or using the GNU patch tool), or follow the instructions under “Manual Correction” at https://github.com/pkp/pkp-lib/issues/5871.

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher,

That was my original question. The patch is not clear as the previous OJS patches were, which can be viewed on github website. For example, the patch is a diff file and it is not clear what needs to be removed and what needs to stay, and it is too long. Can a patch that follows in line with previous patches be made?

Manual is still command. I had already explained previously that I don’t have access to shell/command.

-Newone