Hi there, our server is reporting that the Codeigniter script is out of date and is currently a vulnerable file for uploading malicious files. This was confirmed earlier today when a file was uploaded, ran and took our site down for 30 minutes.
Could you advise how I could update Codeigniter please?
Hi @keeno79,
CodeIgniter is only included in OJS for the sake of the JustBoil.me image uploader that’s used in TinyMCE controls; it’s not a major component of OJS. I’m not aware of any vulnerabilities in it that can be used to compromise OJS; if you’ve confirmed something like this yourself, please send me the details ASAP.
Is your files_dir inside your web root? If so, that’s a misconfiguration of OJS and can potentially be used to compromise the system. This is noted in the README documentation, on the installation form, and elsewhere – your files_dir should be either placed outside your web root, or protected from direct access using .htaccess or something similar. This isn’t related to CodeIgniter.
Regards,
Alec Smecher
Public Knowledge Project Team
Thank you for responding, the message we receive weekly (for the past three weeks from our hosts) is as follows …
# (decoded file [depth: 1]) Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0263]]
'/home/respons3/public_html/ojs/plugins/generic/tinymce/plugins/justboil.me/ci/system/core/CodeIgniter.php'
# Script version check [OLD] [CodeIgniter v2.1.3 < v3.1.7]
Our files directory is stored outside of the webroot folder
Hi @keeno79,
Can you PM me with any additional details about the exploit you observed?
Regards,
Alec Smecher
Public Knowledge Project Team
Hi all,
The exploit appears to be related to the files_dir being web-accessible, not CodeIgniter.
Regards,
Alec Smecher
Public Knowledge Project Team