Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove JBImages plugin #5871

Closed
asmecher opened this issue May 14, 2020 · 30 comments
Closed

Remove JBImages plugin #5871

asmecher opened this issue May 14, 2020 · 30 comments
Assignees
Labels
Bug:3:Critical

Comments

@asmecher
Copy link
Member

@asmecher asmecher commented May 14, 2020

The Justboil.me TinyMCE plugin, included in some PKP products, is not safe; see: https://packetstormsecurity.com/files/151677/TinyMCE-JBimages-3.x-JustBoilMe-Arbitrary-File-Upload.html

Unaffected releases
The following releases are not affected by the insecure version of JBImages and do not require any changes:

  • Open Journal Systems (OJS) 3.2.0 and newer
  • Open Monograph Press (OMP) 3.2.0 and newer
  • Open Preprint Systems (all releases)

If your release of OJS, OCS or OMP is not listed here, consider it to be affected!

Affected releases
All builds of the following releases are affected by the insecure version of JBImages:

  • Open Journal Systems (OJS)
    • OJS 2.x older than 2.4.x: please upgrade!
    • OJS 2.4.x: patch
    • OJS 3.0.0: patch
    • OJS 3.0.1: patch
    • OJS 3.0.2: patch
    • OJS 3.1.0: patch
    • OJS 3.1.1: patch
    • OJS 3.1.2-0: patch
    • OJS 3.1.2-1, 3.1.2-2, 3.1.2-3, 3.1.2-4: patch
  • Open Monograph Press (OMP)
  • Open Conference Systems (OCS)
    • OCS 2.3.6: patch
    • OCS older than 2.3.6: please upgrade!

To apply a patch, use the following command line from within your installation directory:

wget -O - "patch_url_here" | patch -p2

...replacing patch_url_here with the appropriate URL from the list above for your release. (It is recommended to use the --dry-run option first, to test that the patch applies cleanly.)

Git Users
If you are using a git-based checkout of any of these applications, the following stable branches have been patched:

  • Open Journal Systems (OJS)
    • ojs-stable-3_1_1
    • stable-3_1_2
  • Open Journal Systems (OMP)
    • omp-stable-3_1_1
    • stable-3_1_2
  • Open Conference Systems (OCS)
    • ocs-dev-2_3
    • ocs-stable-2_3_6

The issue affects the main repository (ojs, omp, or ocs), plus the lib/pkp/ and plugins/generic/tinymce` submodules (if present) -- ensure that all are updated!

Manual Correction
To manually remove the vulnerable jbimages plugin:

  • Search for and remove directories called jbimages or justboil.me
  • Search for references to jbimages in the codebase:
    find . -type f -exec fgrep -l jbimages "{}" ";"
    
  • For each result, edit the file and remove the reference to jbimages.

Mitigation via web server configuration
It is likely, but not confirmed, that this exploit can be mitigated by preventing executable code from running within the public directory, e.g.:

<Directory ~ "public">
    <Files ~ "\.(php|php3|phtml)$">
        Deny from all
    </Files>
</Directory>

However, this would only prevent the execution of the files and not their upload, and should be considered a partial solution at best.

Restoring the Removed Functionality
Applying the fix as described above will remove the image upload feature previously provided by the JBImages plugin. To restore that functionality via a new mechanism, it may be possible to apply the changes in pkp/ojs#2755 (OJS installation directory) and #5888 (lib/pkp submodule). (These changes are not officially supported.)

@asmecher asmecher added the Bug:3:Critical label May 14, 2020
@asmecher asmecher added this to the OJS/OMP 3.1.2-5 milestone May 14, 2020
@asmecher asmecher self-assigned this May 14, 2020
asmecher added a commit to pkp/tinymce that referenced this issue May 14, 2020
asmecher added a commit to pkp/tinymce that referenced this issue May 14, 2020
asmecher added a commit to pkp/ojs that referenced this issue May 14, 2020
asmecher added a commit to pkp/ojs that referenced this issue May 14, 2020
asmecher added a commit to pkp/omp that referenced this issue May 14, 2020
asmecher added a commit to pkp/tinymce that referenced this issue May 14, 2020
asmecher added a commit to pkp/omp that referenced this issue May 14, 2020
asmecher added a commit to pkp/omp that referenced this issue May 14, 2020
asmecher added a commit to pkp/ojs that referenced this issue May 14, 2020
asmecher added a commit to pkp/ojs that referenced this issue May 14, 2020
asmecher added a commit to pkp/omp that referenced this issue May 14, 2020
asmecher added a commit that referenced this issue May 14, 2020
asmecher added a commit that referenced this issue May 14, 2020
@rtwilson
Copy link

@rtwilson rtwilson commented May 15, 2020

When you say run the wget cmd in the install directory, do you mean the install dir of the specific plugin or general ojs install dir?

@asmecher
Copy link
Member Author

@asmecher asmecher commented May 15, 2020

This is the OJS (or OMP or OCS) installation directory.

@rtwilson
Copy link

@rtwilson rtwilson commented May 15, 2020

thanks!

@navotera
Copy link

@navotera navotera commented May 16, 2020

This patch remove the upload button on the tiny mce.

image

Is there any way we can upload any image on tiny mce as it used to be ?

@asmecher
Copy link
Member Author

@asmecher asmecher commented May 26, 2020

@NateWr, Travis environment changed a while ago and unfortunately broke automated testing for 3.1.2 and older (and I didn't judge it worth investing time in rewriting, as that branch is receiving almost no new commits). I've reviewed the code (but not tested it) and it looks good and consistent with the 3.2 implementation; if you've tested it manually, I'm satisfied.

NateWr added a commit to NateWr/ojs that referenced this issue May 27, 2020
NateWr added a commit to NateWr/omp that referenced this issue May 27, 2020
NateWr added a commit to NateWr/ojs that referenced this issue May 27, 2020
NateWr added a commit to NateWr/ojs that referenced this issue May 27, 2020
NateWr added a commit to NateWr/ojs that referenced this issue May 27, 2020
NateWr added a commit to pkp/omp that referenced this issue May 27, 2020
pkp/pkp-lib#5871 Restore image upload support after removing upload vulnerability
NateWr added a commit to pkp/ojs that referenced this issue May 27, 2020
pkp/pkp-lib#5871 Restore image upload support after removing upload vulnerability
@NateWr
Copy link
Member

@NateWr NateWr commented May 27, 2020

Merged. The stable_3_1_2 branch for OJS and OMP now supports image uploads. The pkp.min.js has been updated so no compilation is needed.

NateWr added a commit that referenced this issue May 27, 2020
#5871 Restore image upload to tinymce after removing vulne…
@navotera
Copy link

@navotera navotera commented May 31, 2020

Hi @NateWr
Thank you for your countless dedication to this.
Let us know how to get this version? Do we need to update using the composer or download the fresh new OJS 3.1.2-4 on the GitHub Releases tab?

Thank you

@NateWr
Copy link
Member

@NateWr NateWr commented Jun 1, 2020

I don't think there is an official 3.1.2.x release that includes this yet so you would need to be running off of an install from git. If you're not already doing this it may prove tricky to migrate to that.

Instead, it may make sense to manually apply the changes described in #5888 and pkp/ojs#2755.

@kaitlinnewson
Copy link
Contributor

@kaitlinnewson kaitlinnewson commented Jun 1, 2020

When trying these with git apply --check ojs-3.1.2-1.patch within an OJS install directory, I receive a lot of "No such file or directory errors", e.g.:

error: ojs-3.1.2-1/js/pkp.min.js: No such file or directory
error: ojs-3.1.2-1/lib/pkp/js/controllers/SiteHandler.js: No such file or directory
error: ojs-3.1.2-1/plugins/generic/tinymce/plugins/justboil.me/ci/application/config/autoload.php: No such file or directory
....

This was with the patch for OJS 3.1.2-1. Will these files work with git apply, or only with patch?

@asmecher
Copy link
Member Author

@asmecher asmecher commented Jun 1, 2020

@kaitlinnewson, I think you need to specify the -p2 option (as with patch).

@kaitlinnewson
Copy link
Contributor

@kaitlinnewson kaitlinnewson commented Jun 1, 2020

@asmecher that did the trick - thanks!

@diegomejia071
Copy link

@diegomejia071 diegomejia071 commented Jun 4, 2020

Hi, @NateWr
Apply the changes you mentioned for version 3.1.2.0, but when trying to upload an image I get the following error:

##api.publicFiles.413.noDirSpace##

image

@NateWr
Copy link
Member

@NateWr NateWr commented Jun 4, 2020

Ah, it looks like I might have forgotten to add the new locale strings. That particular error is:

You do not have enough space in your user directory. The file you are uploading is {$fileUploadSize}kb and you have {$dirSizeLeft}kb remaining.

The relevant error message here: https://github.com/pkp/pkp-lib/blob/master/locale/en_US/api.po#L44-L60. I will try to get these backported as well.

@diegomejia071
Copy link

@diegomejia071 diegomejia071 commented Jun 4, 2020

Hi @NateWr,

Where is this api.po file located?

@NateWr
Copy link
Member

@NateWr NateWr commented Jun 4, 2020

They are not in 3.1.x. The translation files were converted to .po in 3.2.0. For 3.1.x you will want to look in the same location but under api.xml. You'll need to modify the format as well.

@diegomejia071
Copy link

@diegomejia071 diegomejia071 commented Jun 4, 2020

Hi @NateWr,

I already made the corrections in the locale, but he same error always appears with any user.
You do not have enough space in your user directory. The file you are uploading is 117kb and you have -33713kb remaining.

What size do I have to modify on my server?

@NateWr
Copy link
Member

@NateWr NateWr commented Jun 4, 2020

It is set to 5mb by default. Try adding a parameter to our config.inc.php file with the number of kb you allow (default is 5000):

public_user_dir_size = 5000

@diegomejia071
Copy link

@diegomejia071 diegomejia071 commented Jun 4, 2020

@NateWr,

The same keeps on giving an error:

jquery.min.js:2
POST https://XXXXXXX/api/v1/_uploadPublicFile 413 (Request Entity Too Large)

@diegomejia071
Copy link

@diegomejia071 diegomejia071 commented Jun 4, 2020

@NateWr, thank you very much for the help.

@NateWr
Copy link
Member

@NateWr NateWr commented Jun 8, 2020

The file you are uploading is 117kb and you have -33713kb remaining.

This suggests that your directory is already very full. You may need to increase the dir size substantially to make this work.

@gonzalognzl
Copy link

@gonzalognzl gonzalognzl commented Jun 25, 2020

@NateWr do you think PR #5888 pkp/ojs#2755 are safe to restore image upload functionality to OJS 3.1.1.0?

I'm not able to upload to 3.2 right now. Thanks!

@NateWr
Copy link
Member

@NateWr NateWr commented Jun 29, 2020

@gonzalognzl I'm not sure and I don't have a good enough memory to know what changed between 3.1.1 and 3.1.2. I'd recommend creating a test instance and trying it out first.

@primoz-svetek
Copy link
Contributor

@primoz-svetek primoz-svetek commented Nov 8, 2020

I don't think there is an official 3.1.2.x release that includes this yet so you would need to be running off of an install from git. If you're not already doing this it may prove tricky to migrate to that.

Instead, it may make sense to manually apply the changes described in #5888 and pkp/ojs#2755.

Hi @NateWr

I have applied both patches on OJS 3.1.2.4, but still don't see the icon to upload images. What else should I do to get it fixed?

@NateWr
Copy link
Member

@NateWr NateWr commented Nov 10, 2020

I recommend you upgrade to 3.2.x. 3.1.2.x is now quite old and not very well supported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug:3:Critical
Projects
None yet
Development

No branches or pull requests

9 participants