A serious security vulnerability has been discovered in the PKP Open Conference Systems (OCS) versions 1.1.6 and prior.
Details are available at:http://www.securityfocus.com/archive/1/448548/30/30/threaded
is available to correct the problem. You should apply this patch immediately by runningpatch -p0 < cumulative.diff
in the ocs installation directory.
Intruders can take advantage of this expoit through privilege escalation to gain control of the hosting server. You should check to see if there have been any logins by privileged users from unauthorized IP addresses in the last week. Also, exploit attempts can be found by searching the logs for requests to theme.inc.php and footer.inc.php with "fullpath" specified as a URL parameter.
This vulnerability does not affect the PKP Open Journal Systems or the PKP Metadata Harvester.
If you have any questions about this exploit, please contact us
OCS versions 1.1.7 and 2.0 and greater are not affected by this vulnerability.