Remove JBImages plugin

[asmecher]

The Justboil.me TinyMCE plugin, included in some PKP products, is not safe; see: https://packetstormsecurity.com/files/151677/TinyMCE-JBimages-3.x-JustBoilMe-Arbitrary-File-Upload.html

Unaffected releases
The following releases are not affected by the insecure version of JBImages and do not require any changes:

• Open Journal Systems (OJS) 3.2.0 and newer
• Open Monograph Press (OMP) 3.2.0 and newer
• Open Preprint Systems (all releases)

If your release of OJS, OCS or OMP is not listed here, consider it to be affected!

Affected releases
All builds of the following releases are affected by the insecure version of JBImages:

• Open Journal Systems (OJS)
  • OJS 2.x older than 2.4.x: please upgrade!
  • OJS 2.4.x: patch
  • OJS 3.0.0: patch
  • OJS 3.0.1: patch
  • OJS 3.0.2: patch
  • OJS 3.1.0: patch
  • OJS 3.1.1: patch
  • OJS 3.1.2-0: patch
  • OJS 3.1.2-1, 3.1.2-2, 3.1.2-3, 3.1.2-4: patch
• Open Monograph Press (OMP)
  • OMP 1.0.0: patch
  • OMP 1.1.0: patch
  • OMP 1.1.1: patch
  • OMP 1.2.0: patch
  • OMP 3.1.0: patch
  • OMP 3.1.1: patch
  • OMP 3.1.2: patch
• Open Conference Systems (OCS)
  • OCS 2.3.6: patch
  • OCS older than 2.3.6: please upgrade!

To apply a patch, use the following command line from within your installation directory:

wget -O - "patch_url_here" | patch -p2

...replacing patch_url_here with the appropriate URL from the list above for your release. (It is recommended to use the --dry-run option first, to test that the patch applies cleanly.)

Git Users
If you are using a git-based checkout of any of these applications, the following stable branches have been patched:

• Open Journal Systems (OJS)
  • ojs-stable-3_1_1
  • stable-3_1_2
• Open Journal Systems (OMP)
  • omp-stable-3_1_1
  • stable-3_1_2
• Open Conference Systems (OCS)
  • ocs-dev-2_3
  • ocs-stable-2_3_6

The issue affects the main repository (ojs, omp, or ocs), plus the lib/pkp/ and plugins/generic/tinymce` submodules (if present) -- ensure that all are updated!

Manual Correction
To manually remove the vulnerable jbimages plugin:

• Search for and remove directories called jbimages or justboil.me
• Search for references to jbimages in the codebase:

  find . -type f -exec fgrep -l jbimages "{}" ";"
  

• For each result, edit the file and remove the reference to jbimages.

Mitigation via web server configuration
It is likely, but not confirmed, that this exploit can be mitigated by preventing executable code from running within the public directory, e.g.:

<Directory ~ "public">
    <Files ~ "\.(php|php3|phtml)$">
        Deny from all
    </Files>
</Directory>

However, this would only prevent the execution of the files and not their upload, and should be considered a partial solution at best.

Restoring the Removed Functionality
Applying the fix as described above will remove the image upload feature previously provided by the JBImages plugin. To restore that functionality via a new mechanism, it may be possible to apply the changes in pkp/ojs#2755 (OJS installation directory) and #5888 (lib/pkp submodule). (These changes are not officially supported.)