Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correct missing escaping of template variable #3785

Closed
asmecher opened this issue Jun 11, 2018 · 1 comment
Closed

Correct missing escaping of template variable #3785

asmecher opened this issue Jun 11, 2018 · 1 comment
Assignees
@asmecher
Labels
Bug:1:Low A bug that does not have a severe consequence or affects a small number of users.
Milestone
OJS/OMP 3.1.1-2

Comments

@asmecher
Copy link
Member

asmecher commented Jun 11, 2018
edited
Loading

The $authors variable in templates/frontend/pages/search.tpl is not escaped. This permits a reflected (non-persistent) XSS attack.

Instructions to patch are here: #3785 (comment)
See also the notes there about affected theme plugins.

Affects OJS 3.0.0 to 3.1.1-1 (inclusive).

https://nvd.nist.gov/vuln/detail/CVE-2018-12229
Thanks to Metamorfosec for discovery & reporting.
@asmecher asmecher added this to the OJS/OMP 3.1.1-2 milestone Jun 11, 2018
@asmecher asmecher self-assigned this Jun 11, 2018
asmecher added a commit to pkp/ojs that referenced this issue Jun 11, 2018
@asmecher
pkp/pkp-lib#3785 Add escaping to $authors template variable
9f69df0
asmecher added a commit to pkp/ojs that referenced this issue Jun 11, 2018
@asmecher
pkp/pkp-lib#3785 Add escaping to $authors template variable
21b8147
asmecher added a commit to pkp/ojs that referenced this issue Jun 11, 2018
@asmecher
pkp/pkp-lib#3785 Add escaping to $authors template variable
e7aec65
asmecher added a commit to pkp/ojs that referenced this issue Jun 11, 2018
@asmecher
pkp/pkp-lib#3785 Add escaping to $authors template variable
1f07b74
asmecher added a commit to pkp/ojs that referenced this issue Jun 11, 2018
@asmecher
pkp/pkp-lib#3785 Add escaping to $authors template variable
5055ad6
asmecher added a commit to pkp/ojs that referenced this issue Jun 11, 2018
@asmecher
pkp/pkp-lib#3785 Add escaping to $authors template variable
ba66a11
@asmecher
Copy link
Member Author

asmecher commented Jun 11, 2018
edited
Loading

This issue applies to OJS between 3.0.0 and 3.1.1-1 and the themes noted below, and can be corrected by applying this patch: https://github.com/pkp/ojs/commit/ba66a117835a8bbbed4fb12d3c35734e996a211f.diff

For example, on most Linux systems this should work. Run it inside the OJS installation directory.

wget -q -O - https://github.com/pkp/ojs/commit/ba66a117835a8bbbed4fb12d3c35734e996a211f.diff | patch -p1

You should see the following output:

patching file templates/frontend/pages/search.tpl

The issue is corrected in OJS 3.1.1-2 and newer.

If you're using checkouts from git, all stable branches (e.g. ojs-stable-3_1_1) have been patched.

If you are using the Bootstrap theme plugin, version 1.1.4 corrects a similar issue. Users of older versions than 1.1.4 should update.

If you are using the Health Sciences theme plugin, version 1.0.1 corrects a similar issue. Users of 1.0.0 should update.

@asmecher asmecher reopened this Jun 11, 2018
NateWr added a commit to pkp/bootstrap3 that referenced this issue Jun 12, 2018
@NateWr
pkp/pkp-lib#3785 Escape user input in search template
f0957ba
@asmecher asmecher added the Bug:1:Low A bug that does not have a severe consequence or affects a small number of users. label Jun 22, 2018
SuperDomek added a commit to SuperDomek/eries that referenced this issue Jun 25, 2018
@SuperDomek
aplikace patche pkp/pkp-lib#3785 (comment)
0dd1052
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@asmecher asmecher

Labels
Bug:1:Low A bug that does not have a severe consequence or affects a small number of users.
Projects
None yet
Milestone
OJS/OMP 3.1.1-2
Development

No branches or pull requests
1 participant
@asmecher