Selamat Datang di GwEx Net

Open Journal System XSS Attack prevention, OJS Version 3.1.1.4

detail vulnerability:

1. user register as author

2. user login as author

3. user try to submit an article

4. after submission complete, jurnal editor assign an editor to thats submission.

5. user add discussion and add journal manager or journal editor to the discussion.

6. user add XSS injection on subject form:

7. Author can create XSS injection for stealing cookie

8. for kill thats problem, follow this step:

a. edit file /lib/pkp/controllers/grid/queries/form/QueryForm.inc.php at line 333

change this: $headNote->setTitle($this->getData('subject'));

to  >>>>> this:

$headNote->setTitle(htmlspecialchars($this->getData('subject'), ENT_QUOTES, 'UTF-8'));

FINISH, THANKS

 

contact me: +62813-7911-9607