Use json_encode/json_decode instead of serialize/unserialize in report generator

[asmecher]

JSON is limited to simple constructs like arrays, strings, and numbers. serialize/unserialize can be used to describe more complex objects, which may not be trustworthy.

Use json_encode/json_decode instead of serialize/unserialize in the report generator. Review elsewhere for similar usage.

This is a potential security issue -- PHP unserialize can be used for code injections. Abuse of this issue requires Journal Manager access; social engineering is possible, if a logged-in Journal Manager can be tricked into visiting a specially-crafted (albeit long) URL.

This is corrected in OJS/OMP 3.1.2-2 or newer. See #5302 (comment) for patching instructions for older versions.

Affects OJS 3.x and OMP installations 3.1.2-1 and older.

Thanks to Franek Kalinowski, Isec.pl Research Team for discovering and reporting the issue! This has been assigned CVE ID CVE-2019-19909.

[asmecher]

To patch an existing OJS 3.x or OMP installation, apply this patch in the lib/pkp directory of your installation. For example:

cd lib/pkp
wget -O - -q "https://github.com/pkp/pkp-lib/commit/7808c1e50cd8545f239c9192d049bb614807b475.diff" | patch -p1

You should get something like:

checking file classes/statistics/PKPStatisticsHelper.inc.php
checking file pages/management/PKPToolsHandler.inc.php
Hunk #1 succeeded at 200 (offset 30 lines).

If you see any error messages, double-check that the patch applied correctly.

This issue will be fixed in OJS and OMP 3.1.2-2 and newer.

[juanCure]

To patch an existing OJS 3.x or OMP installation, apply this patch in the lib/pkp directory of your installation. For example:

cd lib/pkp
wget -O - -q "https://github.com/pkp/pkp-lib/commit/7808c1e50cd8545f239c9192d049bb614807b475.diff" | patch -p1

You should get something like:

checking file classes/statistics/PKPStatisticsHelper.inc.php
checking file pages/management/PKPToolsHandler.inc.php
Hunk #1 succeeded at 200 (offset 30 lines).

If you see any error messages, double-check that the patch applied correctly.

This issue will be fixed in OJS and OMP 3.1.2-2 and newer.

Hi @asmecher, I have applied this patch over an OJS 3.1.1.4 code and only the PKP Usage statistics report failed, no generating the CSV statistics file and resulting an white screen. There is not message about the error in my server log. All the rest reports work correctly.

[asmecher]

@juanCure, is it an option to upgrade your OJS installation to a newer release? This issue has been fixed in anything newer than 3.1.2-2, which is by now quite old.

[juanCure]

Hi @asmecher It's difficult that option because the journal has a custom theme based on Bootstrap 3 theme, that's why I encouraged to patch the fixes to resolve the security issues on OJS 3.1.1.4. Is there a way to resolve completely this issue on OJS 3.1.1.4?

[asmecher]

@juanCure, I understand, it's just difficult for us to prioritize debugging on older versions -- our team is small and has a lot of competing priorities. In any case, you might also need to patch your usageStats plugin (plugins/generic/usageStats) with pkp/usageStats@c1d1f0c.

[juanCure]

Hi @asmecher I understood, thanks for indicate what patch I needed to apply to usageStats plugin too, I have applied it and firstly it did not work but the cause was some configuration on my nginx server, i have corrected it in my configuration and it worked.