Remove JBImages plugin

[asmecher]

The Justboil.me TinyMCE plugin, included in some PKP products, is not safe; see: https://packetstormsecurity.com/files/151677/TinyMCE-JBimages-3.x-JustBoilMe-Arbitrary-File-Upload.html

Unaffected releases
The following releases are not affected by the insecure version of JBImages and do not require any changes:

• Open Journal Systems (OJS) 3.2.0 and newer
• Open Monograph Press (OMP) 3.2.0 and newer
• Open Preprint Systems (all releases)

If your release of OJS, OCS or OMP is not listed here, consider it to be affected!

Affected releases
All builds of the following releases are affected by the insecure version of JBImages:

• Open Journal Systems (OJS)
  • OJS 2.x older than 2.4.x: please upgrade!
  • OJS 2.4.x: patch
  • OJS 3.0.0: patch
  • OJS 3.0.1: patch
  • OJS 3.0.2: patch
  • OJS 3.1.0: patch
  • OJS 3.1.1: patch
  • OJS 3.1.2-0: patch
  • OJS 3.1.2-1, 3.1.2-2, 3.1.2-3, 3.1.2-4: patch
• Open Monograph Press (OMP)
  • OMP 1.0.0: patch
  • OMP 1.1.0: patch
  • OMP 1.1.1: patch
  • OMP 1.2.0: patch
  • OMP 3.1.0: patch
  • OMP 3.1.1: patch
  • OMP 3.1.2: patch
• Open Conference Systems (OCS)
  • OCS 2.3.6: patch
  • OCS older than 2.3.6: please upgrade!

To apply a patch, use the following command line from within your installation directory:

wget -O - "patch_url_here" | patch -p2

...replacing patch_url_here with the appropriate URL from the list above for your release. (It is recommended to use the --dry-run option first, to test that the patch applies cleanly.)

Git Users
If you are using a git-based checkout of any of these applications, the following stable branches have been patched:

• Open Journal Systems (OJS)
  • ojs-stable-3_1_1
  • stable-3_1_2
• Open Journal Systems (OMP)
  • omp-stable-3_1_1
  • stable-3_1_2
• Open Conference Systems (OCS)
  • ocs-dev-2_3
  • ocs-stable-2_3_6

The issue affects the main repository (ojs, omp, or ocs), plus the lib/pkp/ and plugins/generic/tinymce` submodules (if present) -- ensure that all are updated!

Manual Correction
To manually remove the vulnerable jbimages plugin:

• Search for and remove directories called jbimages or justboil.me
• Search for references to jbimages in the codebase:

  find . -type f -exec fgrep -l jbimages "{}" ";"
  

• For each result, edit the file and remove the reference to jbimages.

Mitigation via web server configuration
It is likely, but not confirmed, that this exploit can be mitigated by preventing executable code from running within the public directory, e.g.:

<Directory ~ "public">
    <Files ~ "\.(php|php3|phtml)$">
        Deny from all
    </Files>
</Directory>

However, this would only prevent the execution of the files and not their upload, and should be considered a partial solution at best.

Restoring the Removed Functionality
Applying the fix as described above will remove the image upload feature previously provided by the JBImages plugin. To restore that functionality via a new mechanism, it may be possible to apply the changes in pkp/ojs#2755 (OJS installation directory) and #5888 (lib/pkp submodule). (These changes are not officially supported.)

[rtwilson]

When you say run the wget cmd in the install directory, do you mean the install dir of the specific plugin or general ojs install dir?

[asmecher]

This is the OJS (or OMP or OCS) installation directory.

[rtwilson]

thanks!

[navotera]

This patch remove the upload button on the tiny mce.

Is there any way we can upload any image on tiny mce as it used to be ?

[asmecher]

@NateWr, Travis environment changed a while ago and unfortunately broke automated testing for 3.1.2 and older (and I didn't judge it worth investing time in rewriting, as that branch is receiving almost no new commits). I've reviewed the code (but not tested it) and it looks good and consistent with the 3.2 implementation; if you've tested it manually, I'm satisfied.

[NateWr]

Merged. The stable_3_1_2 branch for OJS and OMP now supports image uploads. The pkp.min.js has been updated so no compilation is needed.

[navotera]

Hi @NateWr
Thank you for your countless dedication to this.
Let us know how to get this version? Do we need to update using the composer or download the fresh new OJS 3.1.2-4 on the GitHub Releases tab?

Thank you

[NateWr]

I don't think there is an official 3.1.2.x release that includes this yet so you would need to be running off of an install from git. If you're not already doing this it may prove tricky to migrate to that.

Instead, it may make sense to manually apply the changes described in #5888 and pkp/ojs#2755.

[kaitlinnewson]

When trying these with git apply --check ojs-3.1.2-1.patch within an OJS install directory, I receive a lot of "No such file or directory errors", e.g.:

error: ojs-3.1.2-1/js/pkp.min.js: No such file or directory
error: ojs-3.1.2-1/lib/pkp/js/controllers/SiteHandler.js: No such file or directory
error: ojs-3.1.2-1/plugins/generic/tinymce/plugins/justboil.me/ci/application/config/autoload.php: No such file or directory
....

This was with the patch for OJS 3.1.2-1. Will these files work with git apply, or only with patch?

[asmecher]

@kaitlinnewson, I think you need to specify the -p2 option (as with patch).

[kaitlinnewson]

@asmecher that did the trick - thanks!

[diegomejia071]

Hi, @NateWr
Apply the changes you mentioned for version 3.1.2.0, but when trying to upload an image I get the following error:

##api.publicFiles.413.noDirSpace##

[NateWr]

Ah, it looks like I might have forgotten to add the new locale strings. That particular error is:

You do not have enough space in your user directory. The file you are uploading is {$fileUploadSize}kb and you have {$dirSizeLeft}kb remaining.

The relevant error message here: https://github.com/pkp/pkp-lib/blob/master/locale/en_US/api.po#L44-L60. I will try to get these backported as well.

[diegomejia071]

Hi @NateWr,

Where is this api.po file located?

[NateWr]

They are not in 3.1.x. The translation files were converted to .po in 3.2.0. For 3.1.x you will want to look in the same location but under api.xml. You'll need to modify the format as well.

[diegomejia071]

Hi @NateWr,

I already made the corrections in the locale, but he same error always appears with any user.
You do not have enough space in your user directory. The file you are uploading is 117kb and you have -33713kb remaining.

What size do I have to modify on my server?

[NateWr]

It is set to 5mb by default. Try adding a parameter to our config.inc.php file with the number of kb you allow (default is 5000):

public_user_dir_size = 5000

[diegomejia071]

@NateWr,

The same keeps on giving an error:

jquery.min.js:2
POST https://XXXXXXX/api/v1/_uploadPublicFile 413 (Request Entity Too Large)

[diegomejia071]

@NateWr, thank you very much for the help.

[NateWr]

The file you are uploading is 117kb and you have -33713kb remaining.

This suggests that your directory is already very full. You may need to increase the dir size substantially to make this work.

[gonzalognzl]

@NateWr do you think PR #5888 pkp/ojs#2755 are safe to restore image upload functionality to OJS 3.1.1.0?

I'm not able to upload to 3.2 right now. Thanks!

[NateWr]

@gonzalognzl I'm not sure and I don't have a good enough memory to know what changed between 3.1.1 and 3.1.2. I'd recommend creating a test instance and trying it out first.

[primoz-svetek]

I don't think there is an official 3.1.2.x release that includes this yet so you would need to be running off of an install from git. If you're not already doing this it may prove tricky to migrate to that.

Instead, it may make sense to manually apply the changes described in #5888 and pkp/ojs#2755.

Hi @NateWr

I have applied both patches on OJS 3.1.2.4, but still don't see the icon to upload images. What else should I do to get it fixed?

[NateWr]

I recommend you upgrade to 3.2.x. 3.1.2.x is now quite old and not very well supported.