You are viewing the PKP Support Forum | PKP Home Wiki

Security vulnerability in Open Conference Systems (OCS) 1.x

Are you a Director, Presenter, Reviewer or Conference Manager in need of help? Want to talk to us about workflow issues? This is your forum.

Moderators: jmacgreg, michael

Forum rules
The Public Knowledge Project Support Forum is moving to http://forum.pkp.sfu.ca

This forum will be maintained permanently as an archived historical resource, but all new questions should be added to the new forum. Questions will no longer be monitored on this old forum after March 30, 2015.

Security vulnerability in Open Conference Systems (OCS) 1.x

Postby kstranac » Fri Oct 20, 2006 11:43 am

A serious security vulnerability has been discovered in PKP Open Conference Systems (OCS) 1.x.

Details are available at:


A patch is available to correct the problem. You should apply this patch immediately by running

patch -p1 < cumulative.diff

in the ocs installation directory.

Intruders can take advantage of this expoit through privilege escalation to gain control of the hosting server. You should check to see if there have been any logins by privileged users from unauthorized IP addresses in the last week. Also, exploit attempts can be found by searching the logs for requests to theme.inc.php and footer.inc.php with "fullpath" specified as a URL parameter.

This vulnerability does not affect the PKP Open Journal Systems or the PKP Metadata Harvester. It does not affect any of the more recent OCS 2.x releases.

If you have any questions about this exploit, please contact us.
Site Admin
Posts: 75
Joined: Wed Sep 21, 2005 3:31 pm

Return to OCS Conference Support and Discussion

Who is online

Users browsing this forum: No registered users and 1 guest