You are viewing the PKP Support Forum | PKP Home Wiki

Security vulnerability in Open Conference Systems <= 1.1.6

Are you responsible for making OCS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, michael, John

Forum rules
The Public Knowledge Project Support Forum is moving to http://forum.pkp.sfu.ca

This forum will be maintained permanently as an archived historical resource, but all new questions should be added to the new forum. Questions will no longer be monitored on this old forum after March 30, 2015.

Security vulnerability in Open Conference Systems <= 1.1.6

Postby kstranac » Fri Oct 20, 2006 11:44 am

A serious security vulnerability has been discovered in the PKP Open Conference Systems (OCS) versions 1.1.6 and prior.

Details are available at:


A patch is available to correct the problem. You should apply this patch immediately by running

patch -p0 < cumulative.diff

in the ocs installation directory.

Intruders can take advantage of this expoit through privilege escalation to gain control of the hosting server. You should check to see if there have been any logins by privileged users from unauthorized IP addresses in the last week. Also, exploit attempts can be found by searching the logs for requests to theme.inc.php and footer.inc.php with "fullpath" specified as a URL parameter.

This vulnerability does not affect the PKP Open Journal Systems or the PKP Metadata Harvester.

If you have any questions about this exploit, please contact us.

OCS versions 1.1.7 and 2.0 and greater are not affected by this vulnerability.
Site Admin
Posts: 75
Joined: Wed Sep 21, 2005 3:31 pm

Additional patch

Postby mjordan » Mon Oct 23, 2006 3:55 pm

If you applied the orginal patch released on Oct. 18, you should apply this patch to bring your installation up to date. If you have not previously applied a patch, use the cumulative one linked above.
Posts: 22
Joined: Wed Mar 17, 2004 10:59 pm
Location: Vancouver, BC, Canada


Postby szazs89 » Wed Nov 08, 2006 8:57 am

It seems to me that the changelogs and README file in 1.1.7 is from the 1.1.5 version...

(Btw. what is the best or recommended method for upgrading or applying the changes on an existing installation?)

sZs (admin of a screwed up server)
PS: I have also added a .htaccess in the ocs root, containing:

<Files "*.inc.php">
order deny,allow
deny from all

This helps to avoid direct http access to the phps to be included.
Posts: 3
Joined: Tue Jan 17, 2006 6:28 pm

Return to OCS Technical Support

Who is online

Users browsing this forum: No registered users and 0 guests