Skip to content

Use json_encode/json_decode instead of serialize/unserialize in report generator #5302

Closed
@asmecher

Description

@asmecher

JSON is limited to simple constructs like arrays, strings, and numbers. serialize/unserialize can be used to describe more complex objects, which may not be trustworthy.

Use json_encode/json_decode instead of serialize/unserialize in the report generator. Review elsewhere for similar usage.

This is a potential security issue -- PHP unserialize can be used for code injections. Abuse of this issue requires Journal Manager access; social engineering is possible, if a logged-in Journal Manager can be tricked into visiting a specially-crafted (albeit long) URL.

This is corrected in OJS/OMP 3.1.2-2 or newer. See #5302 (comment) for patching instructions for older versions.

Affects OJS 3.x and OMP installations 3.1.2-1 and older.

Thanks to Franek Kalinowski, Isec.pl Research Team for discovering and reporting the issue! This has been assigned CVE ID CVE-2019-19909.

Metadata

Metadata

Assignees

Labels

Bug:3:CriticalA bug that prevents a substantial majority of users from using the software.

Type

No type

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions