I searched the forum before posting a new topic on this issue, but the search resulted in zero. I find it very odd that no-one has posted a question or comment about such a basic security issue.
My concern is that when an author uploads a submission, there seems to be no restrictions on file types or the ability for OJS to implement a third party virus scan. If this is the case, what settings are available to scan submissions before they are uploaded?
On the surface, OJS looks like it exposes OJS installations to malicious script and/or virus files disguised as submissions. I say this because I discovered a submission posted to our journal that was not a DOC file but a PHP file. I immediately rejected and archived the file. But If a journal has many editors who are not tech savvy, one of them may accidentally open a bogus submission and trigger moderate to severe harm to their OJS installation, their computer and even their network, depending on the contents of the file.
Severe security risk with OJS?
Moderators: jmacgreg, michael, jheckman, barbarah, btbell, bdgregg, asmecher
Forum rules
What to do if you have a technical problem with OJS:
1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.
2. Check the FAQ to see if your question or error has already been resolved.
3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a development question, try the OJS Development subforum.
What to do if you have a technical problem with OJS:
1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.
2. Check the FAQ to see if your question or error has already been resolved.
3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a development question, try the OJS Development subforum.
2 posts
• Page 1 of 1
Severe security risk with OJS?
by andrecolbert » Tue Jun 19, 2012 5:19 pm
- andrecolbert
- Posts: 3
- Joined: Wed May 23, 2012 6:09 am
Re: Severe security risk with OJS?
by asmecher » Tue Jun 19, 2012 5:40 pm
Hi andrecolbert,
There is no internal virus scan, but one could be implemented as a plugin or using a server-side virus scanner without any OJS integration being needed. To prevent server-side execution, the files_dir should always be configured outside of the web server's root directory (see recommended configuration in docs/README); that way file access is always mediated by PHP rather than allowing potential access directly via the web server.
Regards,
Alec Smecher
Public Knowledge Project Team
There is no internal virus scan, but one could be implemented as a plugin or using a server-side virus scanner without any OJS integration being needed. To prevent server-side execution, the files_dir should always be configured outside of the web server's root directory (see recommended configuration in docs/README); that way file access is always mediated by PHP rather than allowing potential access directly via the web server.
Regards,
Alec Smecher
Public Knowledge Project Team
- asmecher
- Posts: 5759
- Joined: Wed Aug 10, 2005 12:56 pm
2 posts
• Page 1 of 1
Return to OJS Technical Support
Who is online
Users browsing this forum: Bing [Bot] and 3 guests