My OJS 3.0.2 was hacked on 13th June 2017. I have to reformat and reinstall all new. Now our ICT team had run a penetration test before opening the system to make sure it is safe. From the test results, I was advised to resolve the high and medium risk issues. Therefore, I need some advice and guidance on how to solve these issues.
- High risk
Using the GET HTTP method, it is found that :
- The following resources may be vulnerable to blind SQL injection :
- The ‘source’ parameter of the /index.php/PMJET/login/signIn CGI :
/index.php/PMJET/login/signIn?username=&csrfToken=5f53622ec36b57875e6607
d96a02b3d9&password=&remember=1&source=zz&csrfToken=5f53622ec36b57875e66
07d96a02b3d9&password=&remember=1&source=yy
-------- output --------
</div>
<input type="hidden" name="source" value="" />
<fieldset class="fields">
-------- vs --------
</div>
<input type="hidden" name="source" value="yy" />
<fieldset class="fields">
/index.php/PMJET/login/signIn?username=&csrfToken=5f53622ec36b57875e6607
d96a02b3d9&password=&remember=1&source=zz&csrfToken=5f53622ec36b57875e66
07d96a02b3d9&password=&remember=1&source=yy {2}
-------- output --------
</div>
<input type="hidden" name="source" value="" />
<fieldset class="fields">
-------- vs --------
</div>
<input type="hidden" name="source" value="yy" />
<fieldset class="fields">
- The ‘username’ parameter of the /index.php/PMJET/user/registerUser CGI :
/index.php/PMJET/user/registerUser?readerGroup[442]=1&reviewerGroup[441]
=1&email=&csrfToken=5f53622ec36b57875e6607d96a02b3d9&country=&authorGrou
p[439]=1&affiliation[en_US]=&firstName=&lastName=&middleName=&password=&
password2=&username=zz1&reviewerGroup[441]=1&email=&csrfToken=5f53622ec3
6b57875e6607d96a02b3d9&country=&authorGroup[439]=1&affiliation[en_US]=&f
irstName=&lastName=&middleName=&password=&password2=&username=yy
-------- output --------
<span class="pkp_form_error">Errors occurred processing this for [...]
<ul class="pkp_form_error_list">
<li><a href="#username">A username is required.</a></li>
<li><a href="#password">A password is required.</a></li>
<li><a href="#firstName">A first name is required.</a></li>
-------- vs --------
<span class="pkp_form_error">Errors occurred processing this for [...]
<ul class="pkp_form_error_list">
[...]
2… Medium risk
The following pages do not use a clickjacking mitigation response header and contain a clickable
event :
- http://xx.xx.xx.xx/index.php/journalabrre
- http://xx.xx.xx.xx/index.php/journalabrre/about
- http://xx.xx.xx.xx/index.php/journalabrre/about/aboutThisPublishingSystem
- http://xx.xx.xx.xx/index.php/journalabrre/about/contact
- http://xx.xx.xx.xx/index.php/journalabrre/about/editorialTeam
- http://xx.xx.xx.xx/index.php/journalabrre/about/submissions
- http://xx.xx.xx.xx/index.php/journalabrre/announcement
- http://xx.xx.xx.xx/index.php/journalabrre/article/view/2035
- http://xx.xx.xx.xx/index.php/journalabrre/article/view/2159
- http://xx.xx.xx.xx/index.php/journalabrre/article/view/2160
- http://xx.xx.xx.xx/index.php/journalabrre/article/view/2162
- http://xx.xx.xx.xx/index.php/journalabrre/article/view/2163
- http://xx.xx.xx.xx/index.php/journalabrre/article/view/2166
- http://xx.xx.xx.xx/index.php/journalabrre/article/view/2168
- http://xx.xx.xx.xx/index.php/journalabrre/article/view/2169
- http://xx.xx.xx.xx/index.php/journalabrre/index
- http://xx.xx.xx.xx/index.php/journalabrre/issue/archive
- http://xx.xx.xx.xx/index.php/journalabrre/issue/view/225
- http://xx.xx.xx.xx/index.php/journalabrre/login
- http://xx.xx.xx.xx/index.php/journalabrre/search
- http://xx.xx.xx.xx/index.php/journalabrre/search/search
- http://xx.xx.xx.xx/index.php/journalabrre/user/register
- http://xx.xx.xx.xx/index.php/journalabrre
- http://xx.xx.xx.xx/index.php/journalabrre/
- http://xx.xx.xx.xx/index.php/journalabrre/about
- http://xx.xx.xx.xx/index.php/journalabrre/about/aboutThisPublishingSystem
- http://xx.xx.xx.xx/index.php/journalabrre/about/contact
- http://xx.xx.xx.xx/index.php/journalabrre/about/submissions
- http://xx.xx.xx.xx/index.php/journalabrre/announcement
- http://xx.xx.xx.xx/index.php/journalabrre/announcement/view/32
- http://xx.xx.xx.xx/index.php/journalabrre/index
- http://xx.xx.xx.xx/index.php/journalabrre/issue
- http://xx.xx.xx.xx/index.php/journalabrre/issue/
- http://xx.xx.xx.xx/index.php/journalabrre/issue/archive
- http://xx.xx.xx.xx/index.php/journalabrre/issue/current
- http://xx.xx.xx […]
3… Medium risk
Using the GET HTTP method, It is found that :
- The following resources may be vulnerable to unseen parameters :
- The ‘source’ parameter of the /index.php/PMJET/user/register CGI :
/index.php/PMJET/user/register?source=&source=1
-------- output --------
<input type="hidden" name="csrfToken" value="46476637656dec72748 [...]
<fieldset class="identity">
-------- vs --------
<input type="hidden" name="csrfToken" value="46476637656dec72748 [...]
<input type="hidden" name="source" value="1" />
- The ‘source’ parameter of the /index.php/PMJET/user/registerUser CGI :
/index.php/PMJET/user/registerUser?username=&reviewerGroup[441]=1&email=
&csrfToken=5f53622ec36b57875e6607d96a02b3d9&country=&authorGroup[439]=1&
affiliation[en_US]=&firstName=&lastName=&middleName=&password=&password2
=&readerGroup[442]=1&source=1
-------- output --------
15
<input type="hidden" name="csrfToken" value="01aa8d343f8c76a82b4 [...]
<div id="formErrors">
<span class="pkp_form_error">Errors occurred processing this for [...]
-------- vs --------
<input type="hidden" name="csrfToken" value="01aa8d343f8c76a82b4 [...]
<input type="hidden" name="source" value="1" />
<div id="formErrors">
- The ‘source’ parameter of the /index.php/bej/user/registerUser CGI :
/index.php/bej/user/registerUser?username=&reviewerGroup[390]=1&email=&c
srfToken=5f53622ec36b57875e6607d96a02b3d9&country=&authorGroup[388]=1&af
filiation[en_US]=&firstName=&lastName=&middleName=&password=&password2=&
readerGroup[391]=1&source=1
-------- output --------
<input type="hidden" name="csrfToken" value="80d3f953b79f782d98b [...]
<div id="formErrors">
<span class="pkp_form_error">Errors occurred processing this for [...]
-------- vs --------
<input type="hidden" name="csrfToken" value="80d3f953b79f782d98b [...]
<input type="hidden" name="source" value="1" />
<div id="formErrors">
- The ‘source’ parameter of the /index.php/bej/login CGI […]
Will appreciate it if you could kindly provide some help to resolve these issues. Thank you