Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use json_encode/json_decode instead of serialize/unserialize in report generator #5302

Closed
asmecher opened this issue Nov 26, 2019 · 1 comment
Closed
Assignees

Comments

@asmecher
Copy link
Member

@asmecher asmecher commented Nov 26, 2019

JSON is limited to simple constructs like arrays, strings, and numbers. serialize/unserialize can be used to describe more complex objects, which may not be trustworthy.

Use json_encode/json_decode instead of serialize/unserialize in the report generator. Review elsewhere for similar usage.

This is a potential security issue -- PHP unserialize can be used for code injections. Abuse of this issue requires Journal Manager access; social engineering is possible, if a logged-in Journal Manager can be tricked into visiting a specially-crafted (albeit long) URL.

This is corrected in OJS/OMP 3.1.2-2 or newer. See #5302 (comment) for patching instructions for older versions.

Affects OJS 3.x and OMP installations 3.1.2-1 and older.

Thanks to Franek Kalinowski, Isec.pl Research Team for discovering and reporting the issue! This has been assigned CVE ID CVE-2019-19909.

@asmecher

This comment has been minimized.

Copy link
Member Author

@asmecher asmecher commented Nov 26, 2019

To patch an existing OJS 3.x or OMP installation, apply this patch in the lib/pkp directory of your installation. For example:

cd lib/pkp
wget -O - -q "https://github.com/pkp/pkp-lib/commit/7808c1e50cd8545f239c9192d049bb614807b475.diff" | patch -p1

You should get something like:

checking file classes/statistics/PKPStatisticsHelper.inc.php
checking file pages/management/PKPToolsHandler.inc.php
Hunk #1 succeeded at 200 (offset 30 lines).

If you see any error messages, double-check that the patch applied correctly.

This issue will be fixed in OJS and OMP 3.1.2-2 and newer.

@asmecher asmecher closed this Nov 26, 2019
asmecher added a commit to pkp/usageStats that referenced this issue Nov 28, 2019
asmecher added a commit to pkp/usageStats that referenced this issue Nov 28, 2019
@asmecher asmecher self-assigned this Dec 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.