Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correct missing escaping of template variable #3785

Closed
asmecher opened this Issue Jun 11, 2018 · 1 comment

Comments

Projects
None yet
1 participant
@asmecher
Copy link
Member

commented Jun 11, 2018

The $authors variable in templates/frontend/pages/search.tpl is not escaped. This permits a reflected (non-persistent) XSS attack.

Instructions to patch are here: #3785 (comment)
See also the notes there about affected theme plugins.

Affects OJS 3.0.0 to 3.1.1-1 (inclusive).

https://nvd.nist.gov/vuln/detail/CVE-2018-12229
Thanks to Metamorfosec for discovery & reporting.

@asmecher asmecher added this to the OJS/OMP 3.1.1-2 milestone Jun 11, 2018

@asmecher asmecher self-assigned this Jun 11, 2018

asmecher added a commit to pkp/ojs that referenced this issue Jun 11, 2018

asmecher added a commit to pkp/ojs that referenced this issue Jun 11, 2018

asmecher added a commit to pkp/ojs that referenced this issue Jun 11, 2018

asmecher added a commit to pkp/ojs that referenced this issue Jun 11, 2018

asmecher added a commit to pkp/ojs that referenced this issue Jun 11, 2018

@asmecher

This comment has been minimized.

Copy link
Member Author

commented Jun 11, 2018

This issue applies to OJS between 3.0.0 and 3.1.1-1 and the themes noted below, and can be corrected by applying this patch: https://github.com/pkp/ojs/commit/ba66a117835a8bbbed4fb12d3c35734e996a211f.diff

For example, on most Linux systems this should work. Run it inside the OJS installation directory.

wget -q -O - https://github.com/pkp/ojs/commit/ba66a117835a8bbbed4fb12d3c35734e996a211f.diff | patch -p1

You should see the following output:

patching file templates/frontend/pages/search.tpl

The issue is corrected in OJS 3.1.1-2 and newer.

If you're using checkouts from git, all stable branches (e.g. ojs-stable-3_1_1) have been patched.

If you are using the Bootstrap theme plugin, version 1.1.4 corrects a similar issue. Users of older versions than 1.1.4 should update.

If you are using the Health Sciences theme plugin, version 1.0.1 corrects a similar issue. Users of 1.0.0 should update.

@asmecher asmecher closed this Jun 11, 2018

@asmecher asmecher reopened this Jun 11, 2018

@asmecher asmecher closed this Jun 11, 2018

NateWr added a commit to NateWr/bootstrap3 that referenced this issue Jun 12, 2018

@asmecher asmecher added the Bug label Jun 22, 2018

SuperDomek added a commit to SuperDomek/eries that referenced this issue Jun 25, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.