New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove JBImages plugin #5871
Comments
When you say run the wget cmd in the install directory, do you mean the install dir of the specific plugin or general ojs install dir? |
This is the OJS (or OMP or OCS) installation directory. |
thanks! |
@NateWr, Travis environment changed a while ago and unfortunately broke automated testing for 3.1.2 and older (and I didn't judge it worth investing time in rewriting, as that branch is receiving almost no new commits). I've reviewed the code (but not tested it) and it looks good and consistent with the 3.2 implementation; if you've tested it manually, I'm satisfied. |
pkp/pkp-lib#5871 Restore image upload support after removing upload vulnerability
pkp/pkp-lib#5871 Restore image upload support after removing upload vulnerability
Merged. The |
#5871 Restore image upload to tinymce after removing vulne…
Hi @NateWr Thank you |
I don't think there is an official 3.1.2.x release that includes this yet so you would need to be running off of an install from git. If you're not already doing this it may prove tricky to migrate to that. Instead, it may make sense to manually apply the changes described in #5888 and pkp/ojs#2755. |
When trying these with
This was with the patch for OJS 3.1.2-1. Will these files work with |
@kaitlinnewson, I think you need to specify the |
@asmecher that did the trick - thanks! |
Hi, @NateWr ##api.publicFiles.413.noDirSpace## |
Ah, it looks like I might have forgotten to add the new locale strings. That particular error is:
The relevant error message here: https://github.com/pkp/pkp-lib/blob/master/locale/en_US/api.po#L44-L60. I will try to get these backported as well. |
Hi @NateWr, Where is this api.po file located? |
They are not in 3.1.x. The translation files were converted to |
Hi @NateWr, I already made the corrections in the locale, but he same error always appears with any user. What size do I have to modify on my server? |
It is set to 5mb by default. Try adding a parameter to our
|
The same keeps on giving an error: jquery.min.js:2 |
@NateWr, thank you very much for the help. |
This suggests that your directory is already very full. You may need to increase the dir size substantially to make this work. |
@NateWr do you think PR #5888 pkp/ojs#2755 are safe to restore image upload functionality to OJS 3.1.1.0? I'm not able to upload to 3.2 right now. Thanks! |
@gonzalognzl I'm not sure and I don't have a good enough memory to know what changed between 3.1.1 and 3.1.2. I'd recommend creating a test instance and trying it out first. |
Hi @NateWr I have applied both patches on OJS 3.1.2.4, but still don't see the icon to upload images. What else should I do to get it fixed? |
I recommend you upgrade to 3.2.x. 3.1.2.x is now quite old and not very well supported. |
The Justboil.me TinyMCE plugin, included in some PKP products, is not safe; see: https://packetstormsecurity.com/files/151677/TinyMCE-JBimages-3.x-JustBoilMe-Arbitrary-File-Upload.html
Unaffected releases
The following releases are not affected by the insecure version of JBImages and do not require any changes:
If your release of OJS, OCS or OMP is not listed here, consider it to be affected!
Affected releases
All builds of the following releases are affected by the insecure version of JBImages:
To apply a patch, use the following command line from within your installation directory:
...replacing
patch_url_here
with the appropriate URL from the list above for your release. (It is recommended to use the--dry-run
option first, to test that the patch applies cleanly.)Git Users
If you are using a git-based checkout of any of these applications, the following stable branches have been patched:
ojs-stable-3_1_1
stable-3_1_2
omp-stable-3_1_1
stable-3_1_2
ocs-dev-2_3
ocs-stable-2_3_6
The issue affects the main repository (
ojs
,omp
, orocs
), plus thelib/pkp/ and
plugins/generic/tinymce` submodules (if present) -- ensure that all are updated!Manual Correction
To manually remove the vulnerable jbimages plugin:
jbimages
orjustboil.me
jbimages
in the codebase:jbimages
.Mitigation via web server configuration
It is likely, but not confirmed, that this exploit can be mitigated by preventing executable code from running within the
public
directory, e.g.:However, this would only prevent the execution of the files and not their upload, and should be considered a partial solution at best.
Restoring the Removed Functionality
Applying the fix as described above will remove the image upload feature previously provided by the JBImages plugin. To restore that functionality via a new mechanism, it may be possible to apply the changes in pkp/ojs#2755 (OJS installation directory) and #5888 (
lib/pkp
submodule). (These changes are not officially supported.)The text was updated successfully, but these errors were encountered: