PKP Bugzilla – Bug 8040
Cross Site Attacks reported by Hosting Company - IP is blocked
Last modified: 2012-11-26 09:45:26 PST
We are moving to Git Issues for bug tracking in future releases. During transition, content will be in both tools. If you'd like to file a new bug, please create an issue.
Created attachment 3891 [details]
Error reported by Hosting Company for OJS
OJS 2.8.3 is installed on a hosting company. Every time a user registers itself, the IP is blocked by the hosting company. The attachment is showing exact error on the server.
Hosting company advised that the error in in /lib/pkp/js/jquery.cookie.js and developer should check it particularly.
Should upgrading to newer version resolve this issue?
The installed version is 2.3.8 and not 2.8.3
The exact error is also reported on some earlier verion here: http://pkp.sfu.ca/support/forum/viewtopic.php?f=8&t=8188
I'm marking this invalid for two reasons:
- It's not our code, i.e. the problem resides either in the third-party jquery.cookie.js or in the mod_security rules that target it (clearly the latter IMO)
- The "correct" solution, per the discussion at <http://drupal.org/node/522646>, is to correct the broken mod_security rule or pester your ISP into doing the same.
If you need to rename jquery.cookie.js while your ISP is reading your request for a rule correction (hint hint), you can do so by:
1) renaming lib/pkp/js/lib/jquery/plugins/jquery.cookie.js to e.g. jquery.c.js
2) editing templates/common/minifiedScripts.tpl and updating the same filename there to the new name.