Vulnerabilidad OJS 2.4.8.5

ltenorio · April 20, 2021, 4:24pm

Estimado/a,
Quisiera por favor me puedan ayudar con estas 3 vulnerabilidades que se encontraron en el OJS 2.4.8.5 que manejamos en nuestra revista.

Cross site scripting (XSS) en /Index.php/
La entrada de Fragmento de ruta /index.php/~~/~~/~~/ / [*] se estableció en 38929440’9379 La entrada se refleja dentro del código Javascript entre comillas simples.~~~~~~

Ataque a Host header en servidor web
El encabezado del host (removed) se reflejó dentro de una etiqueta LINK (atributo href).

Formulario HTML sin protección CSRF
Form name: registration
Form action:
Form method: GET
Form inputs:
txtnumdocumento [text]
captcha [text]
[button]

Ojalá puedan apoyarme,
Muchas gracias

rcgillis · April 21, 2021, 12:35am

Hello @ltenorio,

Sorry - but I will only be able to reply in English. The version of OJS that you’re using is no longer maintained or supported by PKP. I recommend that you upgrade to the newest version of OJS.

You may find the following resources helpful in preparing for and performing the upgrade:

These resources will introduce you to OJS 3 and how it is different from OJS 2:

OJS 3 Features Overview video
Setting up a Journal and Editorial Workflow video tutorials in PKP School
Learning OJS 3 user guide
OJS 3 live demo site

If you are interested in professional, specialized support for your OJS install, including free upgrades, PKP Publishing Services offers a fee-based service which provides the hosting of OJS, daily backups of your data, applying security patches and upgrades, and priority answering your support questions. They offer solutions for a range of publishers, from small, cost-conscious or society publishers to full university and commercial publishing institutions. More information is available on their website.

Best regards,

Roger
PKP Team

ltenorio · April 24, 2021, 5:25pm

Buenas tardes,
Si se esta pensando en migrar, pero mas adelante. No habrá alguna otra solución para la vulnerabilidad que describi?.
Muchas gracias,

asmecher · April 27, 2021, 3:07pm

Hola @ltenorio,

The first question (regarding XSS) isn’t clear – can you review the post and use the post formatting tools to format it clearly?

Regarding the second issue (an unexpected malicious hostname showing up in links) this could be caused by many different things and I’d need more information to make a specific recommendation.

Regarding CSRF protection, OJS 2.x does not offer this kind of protection and it would be labour-intensive to add it. I’d recommend upgrading to OJS 3.x to resolve this aspect.

Regards,
Alec Smecher
Public Knowledge Project Team

ltenorio · April 27, 2021, 7:44pm

Buenas tardes, envío una imagen con la vulnerabilidad reportada:
pkp

Muchas gracias por su respuesta,

asmecher · April 27, 2021, 8:53pm

Hola @ltenorio,

Lastimosamente eso no me da informacion suficiente para identificar ambas problemas. Si podes prestar mas detalles, es posible que pueda ayudar.

Gracias,
Alec Smecher
Public Knowledge Project Team

asmecher · May 4, 2021, 3:00pm

This topic was automatically closed after 6 days. New replies are no longer allowed.