Vulnerabilidad OJS

Quisiera por favor me puedan ayudar con estas 3 vulnerabilidades que se encontraron en el OJS que manejamos en nuestra revista.

  • Cross site scripting (XSS) en /Index.php/
    La entrada de Fragmento de ruta /index.php//// / [*] se estableció en 38929440’9379 La entrada se refleja dentro del código Javascript entre comillas simples.

  • Ataque a Host header en servidor web
    El encabezado del host (removed) se reflejó dentro de una etiqueta LINK (atributo href).

  • Formulario HTML sin protección CSRF
    Form name: registration
    Form action:
    Form method: GET
    Form inputs:
    txtnumdocumento [text]
    captcha [text]

Ojalá puedan apoyarme,
Muchas gracias

Hello @ltenorio,

Sorry - but I will only be able to reply in English. The version of OJS that you’re using is no longer maintained or supported by PKP. I recommend that you upgrade to the newest version of OJS.

You may find the following resources helpful in preparing for and performing the upgrade:

These resources will introduce you to OJS 3 and how it is different from OJS 2:

If you are interested in professional, specialized support for your OJS install, including free upgrades, PKP Publishing Services offers a fee-based service which provides the hosting of OJS, daily backups of your data, applying security patches and upgrades, and priority answering your support questions. They offer solutions for a range of publishers, from small, cost-conscious or society publishers to full university and commercial publishing institutions. More information is available on their website.

Best regards,

PKP Team

Buenas tardes,
Si se esta pensando en migrar, pero mas adelante. No habrá alguna otra solución para la vulnerabilidad que describi?.
Muchas gracias,

Hola @ltenorio,

The first question (regarding XSS) isn’t clear – can you review the post and use the post formatting tools to format it clearly?

Regarding the second issue (an unexpected malicious hostname showing up in links) this could be caused by many different things and I’d need more information to make a specific recommendation.

Regarding CSRF protection, OJS 2.x does not offer this kind of protection and it would be labour-intensive to add it. I’d recommend upgrading to OJS 3.x to resolve this aspect.

Alec Smecher
Public Knowledge Project Team

Buenas tardes, envío una imagen con la vulnerabilidad reportada:

Muchas gracias por su respuesta,

Hola @ltenorio,

Lastimosamente eso no me da informacion suficiente para identificar ambas problemas. Si podes prestar mas detalles, es posible que pueda ayudar.

Alec Smecher
Public Knowledge Project Team

This topic was automatically closed after 6 days. New replies are no longer allowed.