The OJS system can be uploaded executable file, ex: *.php, *.phtml, *.shtml…A normal article submission should not be uploaded these extension files, once executable files were uploaded, then the attacker can execute these files to do high risk something, it causes system security concern.
Steps I took leading up to the issue
A user can easily upload any executable file when submitted article, it should be blocked.
What application are you using?
All OJS versions.
Additional information
N/A
Hi @chung-han,
The Allowed Uploads plugin is available in the Plugin Gallery to control what kinds of files can and cannot be uploaded.
However, OJS is safe without that plugin. Make sure the files directory (files_dir in config.inc.php, and “Directory for Uploads” in the installation form) is not publicly web-accessible. This is noted on the installation form, in the configuration file, in the documentation, and elsewhere.
Even if you use the Allowed Uploads plugin, you should make sure to keep the files directory somewhere safe. You do not want users to be able to guess filenames of uploads and access them directly.
We have not blocked the upload of potentially executable files for two reasons:
The solution is to configure your files directory safely.
Regards,
Alec Smecher
Public Knowledge Project Team
This topic was automatically closed after 9 days. New replies are no longer allowed.