OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki



PHP security issues

Are you an Editor, Author, or Journal Manager in need of help? Want to talk to us about workflow issues? This is your forum.

Moderators: jmacgreg, michael, vgabler, John

Forum rules
This forum is meant for general questions about the usability of OJS from an everyday user's perspective: journal managers, authors, and editors are welcome to post questions here, as are librarians and other support staff. We welcome general questions about the role of OJS and how the workflow works, as well as specific function- or user-related questions.

What to do if you have general, workflow or usability questions about OJS:

1. Read the documentation. We've written documentation to cover from OJS basics to system administration and code development, and we encourage you to read it.

2. take a look at the tutorials. We will continue to add tutorials covering OJS basics as time goes on.

3. Post a question. Questions are always welcome here, but if it's a technical question you should probably post to the OJS Technical Support subforum; if you have a development question, try the OJS Development subforum.

PHP security issues

Postby ramon » Wed Apr 14, 2004 6:08 am

Hello fellow ojs users,

While developing another system here at IBICT we found a security breach when uploading files to the system.

If the system allows someone to upload a php file, they may be able to wipe out the database, or corrupt the system.

I did a short search in the forum on the subject but found no comments or posts, so my question is:

Does OJS deal with those security issues?
Especially because it allows any type of document to be sent to the server when uploading supplementary files...

thanks to all
ramon
 
Posts: 931
Joined: Wed Oct 15, 2003 6:15 am
Location: Brasí­lia/DF - Brasil

Postby kevin » Wed Apr 14, 2004 9:51 am

If OJS is installed as recommended and the files directory is placed outside of a web-accessible directory, this is not a problem.

It could potentially be a problem if this is not the case. If the attacker is able to determine the location of the files directory (either by guessing or if he has access to the server) he could upload a malicious php file. Ideally, the system should rename or reject any files ending in ".php*"
kevin
 
Posts: 338
Joined: Tue Oct 14, 2003 8:23 pm

Postby kevin » Wed Apr 14, 2004 10:43 am

This patch will rename uploaded .php* files to .txt

Code: Select all
Index: admin/include/fileupload.php
===================================================================
RCS file: /cvs/ojs/admin/include/fileupload.php,v
retrieving revision 1.37
diff -u -r1.37 fileupload.php
--- a/admin/include/fileupload.php      17 Feb 2004 03:29:41 -0000      1.37
+++ b/admin/include/fileupload.php      14 Apr 2004 17:42:28 -0000
@@ -52,6 +52,10 @@
                        $filename = $chLongID.".".$fileext;
                }
               
+               if (preg_match("/(.*)\.php[^\.]*$/", $filename, $matches)) {
+                       $filename = $matches[1] . ".txt";
+               }
+               
                // set new directory
                $filedir = $filepath.$chDirectory;
                if(!file_exists($filedir)) { mkdir($filedir, 0755); }
@@ -94,6 +98,10 @@
                        $filename = $chLongID.".".$fileext;
                }
               
+               if (preg_match("/(.*)\.php[^\.]*$/", $filename, $matches)) {
+                       $filename = $matches[1] . ".txt";
+               }
+               
                // move the uploaded file, making the destination directory if necessary
                $filedir = $filepath.$chDirectory;
                if(!file_exists($filedir)) { mkdir($filedir, 0755); }

kevin
 
Posts: 338
Joined: Tue Oct 14, 2003 8:23 pm

Postby martin fietkiewicz » Thu Feb 17, 2005 4:09 am

how does one apply this patch? and is it ok that the data folder is on the root of the server but just not inside the ojs directory (which itself is a subdir on the root of the server, meaning ojs and ojsdata are "beside" each other)?
martin fietkiewicz
 

Postby kevin » Thu Feb 17, 2005 9:43 am

If you are unfamiliar with patch files, you may want to just download a complete new version of the script from here (or upgrade to a more recent version of OJS).

OJS does not care where your files directory is, but it is preferable to place it outside of any location where it is directly accessible from a web browser (or alternatively, you could restrict direct access to files through other means, e.g., by configuring your web server to do so).
kevin
 
Posts: 338
Joined: Tue Oct 14, 2003 8:23 pm


Return to OJS Editorial Support and Discussion

Who is online

Users browsing this forum: No registered users and 4 guests