Uploading of critical files should be blocked

The OJS system can be uploaded executable file, ex: *.php, *.phtml, *.shtml…A normal article submission should not be uploaded these extension files, once executable files were uploaded, then the attacker can execute these files to do high risk something, it causes system security concern.

Steps I took leading up to the issue
A user can easily upload any executable file when submitted article, it should be blocked.

What application are you using?
All OJS versions.

Additional information

Hi @chung-han,

The Allowed Uploads plugin is available in the Plugin Gallery to control what kinds of files can and cannot be uploaded.

However, OJS is safe without that plugin. Make sure the files directory (files_dir in config.inc.php, and “Directory for Uploads” in the installation form) is not publicly web-accessible. This is noted on the installation form, in the configuration file, in the documentation, and elsewhere.

Even if you use the Allowed Uploads plugin, you should make sure to keep the files directory somewhere safe. You do not want users to be able to guess filenames of uploads and access them directly.

We have not blocked the upload of potentially executable files for two reasons:

  • There are too many types of executable files for us to be able to comprehensively list them for all servers.
  • It is perfectly valid for journals to upload code, e.g. a computer science journal that wants to capture programming along with submission text.

The solution is to configure your files directory safely.

Alec Smecher
Public Knowledge Project Team

1 Like

This topic was automatically closed after 9 days. New replies are no longer allowed.