Description
The Justboil.me TinyMCE plugin, included in some PKP products, is not safe; see: https://packetstormsecurity.com/files/151677/TinyMCE-JBimages-3.x-JustBoilMe-Arbitrary-File-Upload.html
Unaffected releases
The following releases are not affected by the insecure version of JBImages and do not require any changes:
- Open Journal Systems (OJS) 3.2.0 and newer
- Open Monograph Press (OMP) 3.2.0 and newer
- Open Preprint Systems (all releases)
If your release of OJS, OCS or OMP is not listed here, consider it to be affected!
Affected releases
All builds of the following releases are affected by the insecure version of JBImages:
- Open Journal Systems (OJS)
- Open Monograph Press (OMP)
- Open Conference Systems (OCS)
- OCS 2.3.6: patch
- OCS older than 2.3.6: please upgrade!
To apply a patch, use the following command line from within your installation directory:
wget -O - "patch_url_here" | patch -p2
...replacing patch_url_here
with the appropriate URL from the list above for your release. (It is recommended to use the --dry-run
option first, to test that the patch applies cleanly.)
Git Users
If you are using a git-based checkout of any of these applications, the following stable branches have been patched:
- Open Journal Systems (OJS)
ojs-stable-3_1_1
stable-3_1_2
- Open Journal Systems (OMP)
omp-stable-3_1_1
stable-3_1_2
- Open Conference Systems (OCS)
ocs-dev-2_3
ocs-stable-2_3_6
The issue affects the main repository (ojs
, omp
, or ocs
), plus the lib/pkp/ and
plugins/generic/tinymce` submodules (if present) -- ensure that all are updated!
Manual Correction
To manually remove the vulnerable jbimages plugin:
- Search for and remove directories called
jbimages
orjustboil.me
- Search for references to
jbimages
in the codebase:find . -type f -exec fgrep -l jbimages "{}" ";"
- For each result, edit the file and remove the reference to
jbimages
.
Mitigation via web server configuration
It is likely, but not confirmed, that this exploit can be mitigated by preventing executable code from running within the public
directory, e.g.:
<Directory ~ "public">
<Files ~ "\.(php|php3|phtml)$">
Deny from all
</Files>
</Directory>
However, this would only prevent the execution of the files and not their upload, and should be considered a partial solution at best.
Restoring the Removed Functionality
Applying the fix as described above will remove the image upload feature previously provided by the JBImages plugin. To restore that functionality via a new mechanism, it may be possible to apply the changes in pkp/ojs#2755 (OJS installation directory) and #5888 (lib/pkp
submodule). (These changes are not officially supported.)