OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki



Severe security risk with OJS?

Are you responsible for making OJS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
What to do if you have a technical problem with OJS:

1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.

2. Check the FAQ to see if your question or error has already been resolved.

3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a development question, try the OJS Development subforum.

Severe security risk with OJS?

Postby andrecolbert » Tue Jun 19, 2012 5:19 pm

I searched the forum before posting a new topic on this issue, but the search resulted in zero. I find it very odd that no-one has posted a question or comment about such a basic security issue.

My concern is that when an author uploads a submission, there seems to be no restrictions on file types or the ability for OJS to implement a third party virus scan. If this is the case, what settings are available to scan submissions before they are uploaded?

On the surface, OJS looks like it exposes OJS installations to malicious script and/or virus files disguised as submissions. I say this because I discovered a submission posted to our journal that was not a DOC file but a PHP file. I immediately rejected and archived the file. But If a journal has many editors who are not tech savvy, one of them may accidentally open a bogus submission and trigger moderate to severe harm to their OJS installation, their computer and even their network, depending on the contents of the file.
andrecolbert
 
Posts: 3
Joined: Wed May 23, 2012 6:09 am

Re: Severe security risk with OJS?

Postby asmecher » Tue Jun 19, 2012 5:40 pm

Hi andrecolbert,

There is no internal virus scan, but one could be implemented as a plugin or using a server-side virus scanner without any OJS integration being needed. To prevent server-side execution, the files_dir should always be configured outside of the web server's root directory (see recommended configuration in docs/README); that way file access is always mediated by PHP rather than allowing potential access directly via the web server.

Regards,
Alec Smecher
Public Knowledge Project Team
asmecher
 
Posts: 8599
Joined: Wed Aug 10, 2005 12:56 pm


Return to OJS Technical Support

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 3 guests