Severe security risk with OJS?

Are you responsible for making OJS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
The Public Knowledge Project Support Forum is moving to

This forum will be maintained permanently as an archived historical resource, but all new questions should be added to the new forum. Questions will no longer be monitored on this old forum after March 30, 2015.
Posts: 3
Joined: Wed May 23, 2012 6:09 am

Severe security risk with OJS?

Postby andrecolbert » Tue Jun 19, 2012 5:19 pm

I searched the forum before posting a new topic on this issue, but the search resulted in zero. I find it very odd that no-one has posted a question or comment about such a basic security issue.

My concern is that when an author uploads a submission, there seems to be no restrictions on file types or the ability for OJS to implement a third party virus scan. If this is the case, what settings are available to scan submissions before they are uploaded?

On the surface, OJS looks like it exposes OJS installations to malicious script and/or virus files disguised as submissions. I say this because I discovered a submission posted to our journal that was not a DOC file but a PHP file. I immediately rejected and archived the file. But If a journal has many editors who are not tech savvy, one of them may accidentally open a bogus submission and trigger moderate to severe harm to their OJS installation, their computer and even their network, depending on the contents of the file.

Posts: 10015
Joined: Wed Aug 10, 2005 12:56 pm

Re: Severe security risk with OJS?

Postby asmecher » Tue Jun 19, 2012 5:40 pm

Hi andrecolbert,

There is no internal virus scan, but one could be implemented as a plugin or using a server-side virus scanner without any OJS integration being needed. To prevent server-side execution, the files_dir should always be configured outside of the web server's root directory (see recommended configuration in docs/README); that way file access is always mediated by PHP rather than allowing potential access directly via the web server.

Alec Smecher
Public Knowledge Project Team

Return to “OJS Technical Support”

Who is online

Users browsing this forum: Baidu [Spider] and 2 guests