Open Journal Systems (OJS): Hacking Epidemic and SolutionsDavid Green
With a sharp increase in Open Journal Systems (OJS) hacking incidents, the developer, Public Knowledge Project (PKP), faces a serious challenge to improve the security of its programs.[note]PKP Community Forum. User posts. Available at: http://forum.pkp.sfu.ca/search?q=hack.[/note]
The end result of any OJS security breach is significant as publishing sites using OJS have databases containing detailed information about the researchers, which attackers can use for identity theft and fraud. Furthermore, attackers could access and steal unpublished manuscripts or even utilize the OJS to publish bogus research. This is on top of compromising the entire server security and causing a total site malfunction.
Aside from damage to your publishing business reputation and the cost in time and money to fix, OJS security vulnerabilities can expose you to legal liability through tort law (see OJS Security Threats and Legal Liabilities).
A regular and full vulnerability disclosure is a critical component for the support of any open source software. Since the developer has not taken any steps to address OJS security vulnerabilities, publishing institutions using OJS have to take matters into their own hands and beef up security against these threats.
Here are the 4 main causes for this increase in OJS hacking incidents:
- The lack of/or poor disclosure of OJS security vulnerabilities by PKP.
- The lack of solutions from PKP.
- The increased sophistication of malware and hacking attacks.
- Misconfiguration of OJS.
You don’t need to be a programmer to realize that it is impossible for any PHP-based open-source software, with the first version dating back to 2001, to have zero security vulnerabilities. However, since 2001—the launch of the first version of OJS—PKP has failed to make any regular disclosures about OJS security vulnerabilities.
In 2012, a third-party organization,[note]High Tech Bridge. Multiple vulnerabilities in Open Journal Systems (OJS) HTB23079. San Francisco: Author; February 29, 2012. Available at: https://www.htbridge.com/advisory/HTB23079.[/note] announced its discovery of 3 vulnerabilities in OJS version 2.3.7. These issues were not fully resolved by PKP.
In 2016, another third-party organization[note]Henry Raul. Open Journal Systems: ¿Que tan bueno es no tener vulnerabilidades? Behique Digital blog post. December, 13th, 2016. Available at: https://henryraul.wordpress.com/2016/12/13/ojs-que-tan-vulnerable-es-no-tener-vulnerabilidades/[/note] announced additional security flaws for the most recent version of OJS.
Also in 2016, research done by yet another third-party organization[note]Dadkhah M., Borchardt G and Lagzian Do you ignore information security in your journal website? M Sci Eng Ethics (2016). doi:10.1007/s11948-016-9849-z.[/note]used Dorks and search engines to identify 26 OJS websites which were exploitable due to their misconﬁguration. Dorks are ‘‘terms’’ that produce a list of websites that have specific vulnerabilities.[note]. Lancor L and Workman R. Using Google hacking to enhance defense strategies. In ACM SIGCSE Bulletin 2007;39(1)491–95. Available at: http://dl.acm.org/results.cfm?query=Lancor&Go.x=0&Go.y=0[/note] Each vulnerability has its special Dorks, so the researcher created some Dorks for ﬁnding those OJS websites with misconﬁgurations. You can just type in the keywords OJS and Deface in Google Search to find multiple websites and tutorials about hacking OJS.
The uploading of malicious codes during the submission process has affected the most recent versions, including OJS 2.4.8-1. Since OJS has an open registration policy, anyone can register as an author. Fake authors can then upload malicious files without the OJS Administrator knowing about it, unless the submission has been completed (which the hacker doesn’t need to do)!
To combat this threat, you need to do 4 things:
- Only allow the upload of files with safe extensions (such as .doc, .docx, odt, .pdf) and to prohibit the upload of files with server-side executable extensions (such as .phtml, .asp, .php, .rb, .py).
- Automatically notify Journal contact about any new OJS registration.
- Install your OJS so that the file directory is NOT a subdirectory of the OJS installation and cannot be accessed directly via the web server.
- Keep your OJS version up-to-date with the latest upgrades.
What We’ve Done
OpenJournalSytems.com is proud to address important security needs with the release of 2 exciting new security plugins: OJS File Upload Validation Plugin and OJS Registration Notification Plugin. These plugins have been developed specifically to address OJS security vulnerabilities and to prevent hacking, and are detailed below and on our new product page.
The OJS File Upload Validation Plugin enables the Administrator or Journal Manager to choose the file types that can be uploaded during the submission process. This plugin prevents the upload of malware, such as PHTML shellcode files, which are used by hackers to gain access to an OJS web server.
The OJS Registration Notification Plugin sends an email notification to a predetermined address whenever a user registers for a journal. This email contains the name of the registrant, journal, and user role, allowing the Administrator or Journal Manager/Contact to verify the new user or terminate the fake author’s registration long before they can do any damage.
Please visit our new product page for more information.
Since the publication of “Open Journal Systems Hacking Epidemic and Solutions” on January 26th, Public Knowledge Project (PKP) has posted multiple retaliatory responses on its website, denying OJS security vulnerabilities, and lashing out with wild accusations and defamatory statements against OpenJournalSystems.com.
The fact is, over the past four years, we have rescued over 50 OJS hacked websites. These publishers were stranded and with no assistance coming from PKP, they turned to OpenJournalSystems.com for help. Publishers like International Journal of the Analytic Hierarchy Process, International Journal of MCH and AIDS, The Malayan Nature Journal, Malaysian Journal of Psychiatry, and International Journal of Translational Medical Research and Public Health.
Regular and full vulnerability disclosure is critical to any open source software. Since 2001, PKP has failed to make a single public announcement addressing OJS security vulnerabilities. PKP has falsely argued that only misconfiguration can lead to OJS security vulnerabilities. However, even with a correct configuration, a fake author can still easily upload malicious files to the server and no sane IT expert would ever consider that an acceptable risk! (See PKP’s response to upload of malicious files being benign)
While PKP continues denial of OJS vulnerabilities, hackers are been busy posting multiple tutorials on how to hack your OJS (See OJS Hacking Tutorials on Google Search). Another testament to OJS security vulnerabilities are the numerous posts on the PKP forum from publishers whose OJS websites have actually been hacked. Some of these posts are linked below.