Bug 5563

Summary: Plugin management functions not authenticated
Product: OJS Reporter: Matthew Crider <mattcrider>
Component: Plug-insAssignee: Matthew Crider <mattcrider>
Status: RESOLVED FIXED    
Severity: normal CC: alec, pkp-support
Priority: P5    
Version: 2.3.2   
Hardware: PC   
OS: Mac OS X 10.4   
Version Reported In: Also Affects: OCS 2.3.3, OHS 2.3.1, OJS 2.3.2
Attachments: Patch against Harvester 2.3.0 and above
Patch against OCS 2.3.0 and above
Patch against OJS 2.3.0 and above

Description Matthew Crider 2010-07-10 11:46:49 PDT
Perform audit of validation methods in plugin management handler.
Comment 1 Matthew Crider 2010-07-10 12:30:59 PDT
Created attachment 3137 [details]
Patch against Harvester 2.3.0 and above
Comment 2 Matthew Crider 2010-07-10 12:31:27 PDT
Created attachment 3138 [details]
Patch against OCS 2.3.0 and above
Comment 3 Matthew Crider 2010-07-10 12:31:49 PDT
Created attachment 3139 [details]
Patch against OJS 2.3.0 and above
Comment 4 Matthew Crider 2010-07-10 12:32:14 PDT
All changes pushed to official.
Comment 5 Alec Smecher 2010-08-10 13:34:20 PDT
This bug should be considered a serious security risk. It affects the following releases:

OJS 2.3.0
OJS 2.3.1

OCS 2.3.0
OCS 2.3.1
OCS 2.3.2

Harvester 2.3.0

It can be corrected by upgrading to OJS 2.3.2, OCS 2.3.3, and OHS (nee Harvester) 2.3.1, or by applying the patches attached to this entry using the GNU patch tool. See http://en.wikipedia.org/wiki/Patch_%28Unix%29 for details on the patch tool.