Our sites have been taken off external networks while a solution is sought.
Can you please advise whether there is a patch or solution to this vulnerability?
I’ve filed this at Remove JBImages plugin · Issue #5871 · pkp/pkp-lib · GitHub and will post information about patches shortly. In the meantime the quickest solution that won’t take down your site is to remove plugins/generic/tinymce/plugins/justboil.me and all of its contents.
Note that this does not affect OJS and OMP 3.2.0 and newer, or any release of OPS; the justboil.me TinyMCE plugin is not included in these releases.
Regards,
Alec Smecher
Public Knowledge Project Team
Thanks @asmecher That’s great.
Yes, we are going to disable the plugin for now. We had to put all our upgrades on hold while in COVID19 lockdown so we’ve not made it to 3.2. Is there a replacement image upload plugin in that release?
I’ve managed the security issue from this instruction: Remove JBImages plugin · Issue #5871 · pkp/pkp-lib · GitHub in my 3.1.2-1 OJS installations. Now I can’t upload an image. We don’t have financial support to upgrade to 3.2x for now and I wanted to ask is there any possibility to upload images in another way?
@asmecher - thank you very much! That worked and now I have the “image upload” button.
But still I have another problem:
I have applied the changes described in #5888 and pkp/ojs#2755 for 3 of our journals. In one case after choosing “upload” I can choose the file and it looks like it is uploading but after a while nothing hapens. I other 2 journals the image is constantly uploading:
Where should I look for a solution? My OJS is 3.1.2-1
I would suggest checking your PHP error log, your browser’s error console, and the file permissions in the public directory (specifically where OJS will be trying to upload the image – see successfully-uploaded images for the pattern).
Regards,
Alec Smecher
Public Knowledge Project Team
Is there direction for making this change on OJS 2.4. 8?
I have patched OJS file manually in the past with no issue, but now, I cannot tell what files needs to be patched for this justboil me.
I looked at the gitbub link referenced above and downloaded the patch file for the version of OJS I am using. When I opened it, it is just black text and does not show any highlight for the lines that need to be removed.
Patch files are designed to be applied by the GNU patch tool, rather than read and applied manually. However, most programmer’s text editors know how to do syntax highlighting on patch files, so you might try opening that file in another editor. (I use vim, which does highlight patch files.)
Regards,
Alec Smecher
Public Knowledge Project Team
I am not a programmer, I don’t have access to any of the tools mentioned, and vi is for unix systems. I patch manually by editing the lines in the file. I have windows and use Notepad++.
That’s what the patch file does, when you apply it. If you make the same changes that are described in the patch file, it will remove the plugin and anything that refers to it.
Regards,
Alec Smecher
Public Knowledge Project Team
That was my original question. The patch is not clear as the previous OJS patches were, which can be viewed on github website. For example, the patch is a diff file and it is not clear what needs to be removed and what needs to stay, and it is too long. Can a patch that follows in line with previous patches be made?
Manual is still command. I had already explained previously that I don’t have access to shell/command.