Open Journal System | Arbitrary Code Execution as Journal Manager
Information
| Software Type | Web App |
|---|---|
| Software Name | Open Journal System |
| Affected Version | 3.4 |
| Software Vendor | Simon Fraser University |
| Software Link | https://github.com/pkp/ojs |
| Severity | High |
| CVSS Score | 8.7 |
| CVE Link | N/A |
| Affected Assets | 52320+ |
| Date of Discovery | Jan 7th, 2025 |
| PoC Exploit | http://hkohi.ca/uploads/material.tar.gz |
Description
In most content management systems, a plugin’s code isn’t executed until it’s explicitly enabled or otherwise triggered. However, in OJS, it appears that once a plugin is uploaded, it runs immediately, allowing someone to upload a malicious plugin and execute its code without ever enabling it.
Reproduce
To reproduce, login to OJS as Journal Manager and go to the following page:
localhost:8000/index.php/journal-name/management/settings/website#plugins/pluginGallery
Download any plugin you can, modify its code and add a php reverse shell inside it. Start a listener.
Click “Installed Plugins” tab and then click “Upload A New Plugin”. Browse and choose plugin.tar.gz, clic save and you will get shell instantly.
Proof of Concept (PoC) Video
Posted on: May 24, 2025 05:01 AM