OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki



Security error

Are you responsible for making OJS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
What to do if you have a technical problem with OJS:

1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.

2. Check the FAQ to see if your question or error has already been resolved.

3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a development question, try the OJS Development subforum.

Security error

Postby rramos » Tue Oct 09, 2012 12:31 am

It seems the ability to forward a user to a page outside the organitation when performing authentication. This is due to incorrect data validation entry. A potential attacker could use this vulnerability to perform redirects customized without user intervention and thus modified redirect to another page. of This enables you to perform other types of attacks, such as data theft user or session.

In tests carried out in our development servers has been detected in one of the server requests that are made
during the authentication process in the application, there is a parameter "source" in which includes a return address that can be manipulated.

How can we correct this vulnerability?

Thanks!!
rramos
 
Posts: 10
Joined: Thu Sep 13, 2012 11:35 pm

Re: Security error

Postby JasonNugent » Wed Oct 10, 2012 6:31 am

Hi rramos,

You're correct, the redirection that occurs after login should be sanitized to ensure that it is to a page within OJS. However, the risk in the current situation is quite low -- someone wishing to redirect you to a page of their choosing would need to a) know that you had an account within an OJS installation or an active session, and b) convince you somehow to follow their crafted link.

I have filed this as a bug at http://pkp.sfu.ca/bugzilla/show_bug.cgi?id=7959 if you wish to add yourself to the CC list in order to be notified when it is fixed.

Regards,
Jason
JasonNugent
Site Admin
 
Posts: 894
Joined: Tue Jan 10, 2006 6:20 am

Re: Security error

Postby rramos » Thu Oct 11, 2012 4:13 am

thank you very much for your help
rramos
 
Posts: 10
Joined: Thu Sep 13, 2012 11:35 pm

Re: Security error

Postby rramos » Fri Nov 09, 2012 1:27 am

If anyone is interested I modified the code:
lib/pkp/pages/login/PKPLoginHandler.inc.php

In this file I created a small patch:
Code: Select all
        function antiXSS(&$source) {
      $str = strpos($source,'/');
      if($str == 0 ) {
         $source="";
      }
   }


and in this other function called my function:

Code: Select all
 function signIn() {
      $this->validate();
      $this->setupTemplate();
      if (Validation::isLoggedIn()) {
         PKPRequest::redirect(null, 'user');
      }

      if (Config::getVar('security', 'force_login_ssl') && Request::getProtocol() != 'https') {
         // Force SSL connections for login
         PKPRequest::redirectSSL();
      }

      $user = Validation::login(Request::getUserVar('username'), Request::getUserVar('password'), $reason, Request::getUserVar('remember') == null ? false : true);
      if ($user !== false) {
         if ($user->getMustChangePassword()) {
            // User must change their password in order to log in
            Validation::logout();
            PKPRequest::redirect(null, null, 'changePassword', $user->getUsername());

         } else {
            $source = Request::getUserVar('source');
            $this->antiXSS($source); // MY FUNCTION

It's silly but it works

GREETINGS!!
rramos
 
Posts: 10
Joined: Thu Sep 13, 2012 11:35 pm


Return to OJS Technical Support

Who is online

Users browsing this forum: Bing [Bot] and 4 guests