New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use json_encode/json_decode instead of serialize/unserialize in report generator #5302
Comments
To patch an existing OJS 3.x or OMP installation, apply this patch in the
You should get something like:
If you see any error messages, double-check that the patch applied correctly. This issue will be fixed in OJS and OMP 3.1.2-2 and newer. |
Hi @asmecher, I have applied this patch over an OJS 3.1.1.4 code and only the PKP Usage statistics report failed, no generating the CSV statistics file and resulting an white screen. There is not message about the error in my server log. All the rest reports work correctly. |
@juanCure, is it an option to upgrade your OJS installation to a newer release? This issue has been fixed in anything newer than 3.1.2-2, which is by now quite old. |
Hi @asmecher It's difficult that option because the journal has a custom theme based on Bootstrap 3 theme, that's why I encouraged to patch the fixes to resolve the security issues on OJS 3.1.1.4. Is there a way to resolve completely this issue on OJS 3.1.1.4? |
@juanCure, I understand, it's just difficult for us to prioritize debugging on older versions -- our team is small and has a lot of competing priorities. In any case, you might also need to patch your usageStats plugin (plugins/generic/usageStats) with pkp/usageStats@c1d1f0c. |
Hi @asmecher I understood, thanks for indicate what patch I needed to apply to usageStats plugin too, I have applied it and firstly it did not work but the cause was some configuration on my nginx server, i have corrected it in my configuration and it worked. |
JSON is limited to simple constructs like arrays, strings, and numbers.
serialize
/unserialize
can be used to describe more complex objects, which may not be trustworthy.Use
json_encode
/json_decode
instead ofserialize
/unserialize
in the report generator. Review elsewhere for similar usage.This is a potential security issue -- PHP
unserialize
can be used for code injections. Abuse of this issue requires Journal Manager access; social engineering is possible, if a logged-in Journal Manager can be tricked into visiting a specially-crafted (albeit long) URL.This is corrected in OJS/OMP 3.1.2-2 or newer. See #5302 (comment) for patching instructions for older versions.
Affects OJS 3.x and OMP installations 3.1.2-1 and older.
Thanks to Franek Kalinowski, Isec.pl Research Team for discovering and reporting the issue! This has been assigned CVE ID CVE-2019-19909.
The text was updated successfully, but these errors were encountered: