Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use json_encode/json_decode instead of serialize/unserialize in report generator #5302

Closed
asmecher opened this issue Nov 26, 2019 · 6 comments
Closed
Assignees
Labels
Bug:3:Critical

Comments

@asmecher
Copy link
Member

@asmecher asmecher commented Nov 26, 2019

JSON is limited to simple constructs like arrays, strings, and numbers. serialize/unserialize can be used to describe more complex objects, which may not be trustworthy.

Use json_encode/json_decode instead of serialize/unserialize in the report generator. Review elsewhere for similar usage.

This is a potential security issue -- PHP unserialize can be used for code injections. Abuse of this issue requires Journal Manager access; social engineering is possible, if a logged-in Journal Manager can be tricked into visiting a specially-crafted (albeit long) URL.

This is corrected in OJS/OMP 3.1.2-2 or newer. See #5302 (comment) for patching instructions for older versions.

Affects OJS 3.x and OMP installations 3.1.2-1 and older.

Thanks to Franek Kalinowski, Isec.pl Research Team for discovering and reporting the issue! This has been assigned CVE ID CVE-2019-19909.

@asmecher
Copy link
Member Author

@asmecher asmecher commented Nov 26, 2019

To patch an existing OJS 3.x or OMP installation, apply this patch in the lib/pkp directory of your installation. For example:

cd lib/pkp
wget -O - -q "https://github.com/pkp/pkp-lib/commit/7808c1e50cd8545f239c9192d049bb614807b475.diff" | patch -p1

You should get something like:

checking file classes/statistics/PKPStatisticsHelper.inc.php
checking file pages/management/PKPToolsHandler.inc.php
Hunk #1 succeeded at 200 (offset 30 lines).

If you see any error messages, double-check that the patch applied correctly.

This issue will be fixed in OJS and OMP 3.1.2-2 and newer.

asmecher added a commit to pkp/usageStats that referenced this issue Nov 28, 2019
asmecher added a commit to pkp/usageStats that referenced this issue Nov 28, 2019
@asmecher asmecher added the Bug:3:Critical label Dec 18, 2019
@asmecher asmecher self-assigned this Dec 18, 2019
quoideneuf pushed a commit to quoideneuf/pkp-lib that referenced this issue Feb 20, 2020
quoideneuf pushed a commit to quoideneuf/pkp-lib that referenced this issue Feb 20, 2020
@juanCure
Copy link

@juanCure juanCure commented Aug 3, 2020

To patch an existing OJS 3.x or OMP installation, apply this patch in the lib/pkp directory of your installation. For example:

cd lib/pkp
wget -O - -q "https://github.com/pkp/pkp-lib/commit/7808c1e50cd8545f239c9192d049bb614807b475.diff" | patch -p1

You should get something like:

checking file classes/statistics/PKPStatisticsHelper.inc.php
checking file pages/management/PKPToolsHandler.inc.php
Hunk #1 succeeded at 200 (offset 30 lines).

If you see any error messages, double-check that the patch applied correctly.

This issue will be fixed in OJS and OMP 3.1.2-2 and newer.

Hi @asmecher, I have applied this patch over an OJS 3.1.1.4 code and only the PKP Usage statistics report failed, no generating the CSV statistics file and resulting an white screen. There is not message about the error in my server log. All the rest reports work correctly.

@asmecher
Copy link
Member Author

@asmecher asmecher commented Aug 4, 2020

@juanCure, is it an option to upgrade your OJS installation to a newer release? This issue has been fixed in anything newer than 3.1.2-2, which is by now quite old.

@juanCure
Copy link

@juanCure juanCure commented Aug 4, 2020

Hi @asmecher It's difficult that option because the journal has a custom theme based on Bootstrap 3 theme, that's why I encouraged to patch the fixes to resolve the security issues on OJS 3.1.1.4. Is there a way to resolve completely this issue on OJS 3.1.1.4?

@asmecher
Copy link
Member Author

@asmecher asmecher commented Aug 4, 2020

@juanCure, I understand, it's just difficult for us to prioritize debugging on older versions -- our team is small and has a lot of competing priorities. In any case, you might also need to patch your usageStats plugin (plugins/generic/usageStats) with pkp/usageStats@c1d1f0c.

@juanCure
Copy link

@juanCure juanCure commented Aug 5, 2020

Hi @asmecher I understood, thanks for indicate what patch I needed to apply to usageStats plugin too, I have applied it and firstly it did not work but the cause was some configuration on my nginx server, i have corrected it in my configuration and it worked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug:3:Critical
Projects
None yet
Development

No branches or pull requests

2 participants