Open Journal Systems (OJS): Hacking Epidemic and SolutionsDavid Green
With a sharp increase in Open Journal Systems (OJS) hacking incidents, the developer, Public Knowledge Project (PKP), faces a serious challenge to improve the security of its programs.1
The end result of any OJS security breach is significant as publishing sites using OJS have databases containing detailed information about the researchers, which attackers can use for identity theft and fraud. Furthermore, attackers could access and steal unpublished manuscripts or even utilize the OJS to publish bogus research. This is on top of compromising the entire server security and causing a total site malfunction.
Aside from damage to your publishing business reputation and the cost in time and money to fix, OJS security vulnerabilities can expose you to legal liability through tort law (see OJS Security Threats and Legal Liabilities).
A regular and full vulnerability disclosure is a critical component for the support of any open source software. Since the developer has not taken any steps to address OJS security vulnerabilities, publishing institutions using OJS have to take matters into their own hands and beef up security against these threats.
Here are the 4 main causes for this increase in OJS hacking incidents:
- The lack of/or poor disclosure of OJS security vulnerabilities by PKP.
- The lack of solutions from PKP.
- The increased sophistication of malware and hacking attacks.
- Misconfiguration of OJS.
You don’t need to be a programmer to realize that it is impossible for any PHP-based open-source software, with the first version dating back to 2001, to have zero security vulnerabilities. However, since 2001—the launch of the first version of OJS—PKP has failed to make any regular disclosures about OJS security vulnerabilities.
In 2012, a third-party organization,2 announced its discovery of 3 vulnerabilities in OJS version 2.3.7. These issues were not fully resolved by PKP.
In 2016, another third-party organization3 announced additional security flaws for the most recent version of OJS.
Also in 2016, research done by yet another third-party organization4used Dorks and search engines to identify 26 OJS websites which were exploitable due to their misconﬁguration. Dorks are ‘‘terms’’ that produce a list of websites that have specific vulnerabilities.5 Each vulnerability has its special Dorks, so the researcher created some Dorks for ﬁnding those OJS websites with misconﬁgurations. You can just type in the keywords OJS and Deface in Google Search to find multiple websites and tutorials about hacking OJS.
The uploading of malicious codes during the submission process has affected the most recent versions, including OJS 2.4.8-1. Since OJS has an open registration policy, anyone can register as an author. Fake authors can then upload malicious files without the OJS Administrator knowing about it, unless the submission has been completed (which the hacker doesn’t need to do)!
To combat this threat, you need to do 4 things:
- Only allow the upload of files with safe extensions (such as .doc, .docx, odt, .pdf) and to prohibit the upload of files with server-side executable extensions (such as .phtml, .asp, .php, .rb, .py).
- Automatically notify Journal contact about any new OJS registration.
- Install your OJS so that the file directory is NOT a subdirectory of the OJS installation and cannot be accessed directly via the web server.
- Keep your OJS version up-to-date with the latest upgrades.
What We’ve Done
OpenJournalSytems.com is proud to address important security needs with the release of 2 exciting new security plugins: OJS File Upload Validation Plugin and OJS Registration Notification Plugin. These plugins have been developed specifically to address OJS security vulnerabilities and to prevent hacking, and are detailed below and on our new product page.
The OJS File Upload Validation Plugin enables the Administrator or Journal Manager to choose the file types that can be uploaded during the submission process. This plugin prevents the upload of malware, such as PHTML shellcode files, which are used by hackers to gain access to an OJS web server.
The OJS Registration Notification Plugin sends an email notification to a predetermined address whenever a user registers for a journal. This email contains the name of the registrant, journal, and user role, allowing the Administrator or Journal Manager/Contact to verify the new user or terminate the fake author’s registration long before they can do any damage.
Please visit our new product page for more information.
Since the publication of “Open Journal Systems Hacking Epidemic and Solutions” on January 26th, Public Knowledge Project (PKP) has posted multiple retaliatory responses on its website, denying OJS security vulnerabilities, and lashing out with wild accusations and defamatory statements against OpenJournalSystems.com.
The fact is, over the past four years, we have rescued over 50 OJS hacked websites. These publishers were stranded and with no assistance coming from PKP, they turned to OpenJournalSystems.com for help. Publishers like International Journal of the Analytic Hierarchy Process, International Journal of MCH and AIDS, The Malayan Nature Journal, Malaysian Journal of Psychiatry, and International Journal of Translational Medical Research and Public Health.
Regular and full vulnerability disclosure is critical to any open source software. Since 2001, PKP has failed to make a single public announcement addressing OJS security vulnerabilities. PKP has falsely argued that only misconfiguration can lead to OJS security vulnerabilities. However, even with a correct configuration, a fake author can still easily upload malicious files to the server and no sane IT expert would ever consider that an acceptable risk! (See PKP’s response to upload of malicious files being benign)
While PKP continues denial of OJS vulnerabilities, hackers are been busy posting multiple tutorials on how to hack your OJS (See OJS Hacking Tutorials on Google Search). Another testament to OJS security vulnerabilities are the numerous posts on the PKP forum from publishers whose OJS websites have actually been hacked. Some of these posts are linked below.
Up until 2013, PKP (PKP|PS https://pkpservices.sfu.ca/content/journal-hosting) held a total monopoly over managed hosting and support for Open Journal Systems (OJS). PKP took advantage of this monopoly by charging an exorbitant rate for their services. For example, a publisher such as Mattioli 1885 (mattioli1885journals.com), with 9 titles and a 15 GB disk space requirement, would’ve required to pay $2700 per title to PKP Publishing Services for journal hosting.
However; since the launch of OpenJournalSystems.com in 2013, e-publishers, such as Mattioli 1885, have been able to enjoy high-quality managed hosting and support for their OJS for as little as $360 per year! (see Mattioli Testimonial). As OpenJournalSystems.com started gaining market share bit by bit, PKP began to launch vicious attacks against our company.
Over the past four years, PKP and its representatives have engaged in a pattern of conduct that appears to have one sole purpose in mind – eliminate OpenJournalSystems.com as a competitor in the Open Journal Systems platform. This is a concerted effort on the part of PKP, its representatives, and its affiliated companies and vendors, to engage in defamation and interfere with OpenJournalSystems.com’s business through social media and on other forums.
OpenJournalSystems.com has been subjected to continuous harassment and cyberbullying from PKP. Since 2013, PKP has blocked our access to its forum to try and maintain a total monopoly on OJS services; created multiple websites directed at our CEO for the purpose of intimidation and defamation; and directed hundreds of baseless, defamatory social media attacks, against OpenJournalSystems.com in an attempt to damage our reputation. Full details are available in our cease and desist demand letter.
PKP receives millions of dollars in grants, donations, Canadian federal funding, and university support, which makes it possible for its director, John Willinsky, to afford his $4,000,000 mansion in Silicon Valley (411 Stanford Ave Palo Alto, CA) and amass a net worth of over $10,000,000.
OpenJournalSystems.com, however, does not receive any funding and our company spends thousands of dollars in the development of new, high-quality themes and plugins for OJS. These themes and plugins are copyright (See OpenJournalSystems.com Copyright and Licensing) but astonishingly, PKP’s forum is allowing others who’ve pirated our theme codes to create posts with links to these illegally obtained themes. We also have reasonable grounds to believe that PKP employees have been aiding and abetting OJS hackers from Indonesia in an attempt to breach our server security. These hackers failed and we have reported the PKP employee responsible for these incidents to the FBI Cyber Crime Unit.
This is not the first time that PKP and their Canadian library associates have launched a libelous campaign against a US corporation. In 2010, Dale Askey, a PKP associate and a librarian at McMaster University, wrote a blog post about Edwin Mellen Press on his personal Web site, Bibliobrary, referring to the publisher as “dubious” and saying its books were often works of “second-class scholarship.” In June 2012, Edwin Mellen Press filed a multi-million dollar lawsuit against Dale Askey and McMaster University for defamation. PKP’s Canadian library associates started an online publicity campaign against Edwin Mellen Press, calling the defamation lawsuit an assault on academic freedom and free speech. Overwhelmed by this negative publicity campaign, Edwin Mellen Press withdrew their lawsuit in order to avoid any further damage to their business.
OpenJournalSystems.com currently hosts more than 130 open-access journals using Open Journal Systems, and have served over 500 OJS clients worldwide. We have a proven track record of providing comprehensive solutions for Open Journal Systems users and helping scholarly publishers make the most of their online publishing projects. We are the proud service provider for many University Press groups around the world including: Michigan State University (msupress.org), Florida State University College of Medicine (theplaidjournal.com), Findlay University (journals.findlay.edu), Flinder University in Australia (journals.flinders.edu.au), Dominican University (worldlibraries.dom.edu), Sigmund Freud University in Austria (journals.sfu.ac.at ), and many more. OpenJournalSystems.com prides itself on impeccable customer service and we have the successful track record to prove it. Our number one goal is customer satisfaction. We invite you to visit our Testimonials Page to find out what our current clients have to say about us and to our Projects Page to view our portfolio.
- PKP Community Forum. User posts. Available at: http://forum.pkp.sfu.ca/search?q=hack.
- High Tech Bridge. Multiple vulnerabilities in Open Journal Systems (OJS) HTB23079. San Francisco: Author; February 29, 2012. Available at: https://www.htbridge.com/advisory/HTB23079.
- Henry Raul. Open Journal Systems: ¿Que tan bueno es no tener vulnerabilidades? Behique Digital blog post. December, 13th, 2016. Available at: https://henryraul.wordpress.com/2016/12/13/ojs-que-tan-vulnerable-es-no-tener-vulnerabilidades/
- Dadkhah M., Borchardt G and Lagzian Do you ignore information security in your journal website? M Sci Eng Ethics (2016). doi:10.1007/s11948-016-9849-z.
- . Lancor L and Workman R. Using Google hacking to enhance defense strategies. In ACM SIGCSE Bulletin 2007;39(1)491–95. Available at: http://dl.acm.org/results.cfm?query=Lancor&Go.x=0&Go.y=0