Hi there, our server is reporting that the Codeigniter script is out of date and is currently a vulnerable file for uploading malicious files. This was confirmed earlier today when a file was uploaded, ran and took our site down for 30 minutes.
Could you advise how I could update Codeigniter please?
CodeIgniter is only included in OJS for the sake of the JustBoil.me image uploader that’s used in TinyMCE controls; it’s not a major component of OJS. I’m not aware of any vulnerabilities in it that can be used to compromise OJS; if you’ve confirmed something like this yourself, please send me the details ASAP.
Is your files_dir inside your web root? If so, that’s a misconfiguration of OJS and can potentially be used to compromise the system. This is noted in the README documentation, on the installation form, and elsewhere – your files_dir should be either placed outside your web root, or protected from direct access using .htaccess or something similar. This isn’t related to CodeIgniter.
Regards,
Alec Smecher
Public Knowledge Project Team