Public Knowledge Project OJS, OMP, and OPS User-XML Vulnerability Allowing Privilege Escalation and Backdoor Access

A vulnerability has been identified in Public Knowledge Project (PKP) Open Journal Systems (OJS), Open Monograph Press (OMP), and Open Preprints Services (OPS) versions prior to 3.3.0.21 and 3.4.x prior to 3.4.0.8. This vulnerability allows an XML External Entity (XXE) attack by users with the Journal Editor role, enabling them to create a new super admin role within the journal context and upload a backdoor plugin by submitting a manipulated XML document through the User XML Plugin import tool.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, with a Journal Editor able to gain super admin rights. This elevated access can be used to upload malicious plugins that serve as backdoors, providing hackers with unauthorized access to the server via the website interface.

Reproduction

To reproduce this vulnerability, log into an affected OJS, OMP, or OPS installation as a user with the Journal Editor role. Once logged in, access the User XML Import tool and upload a crafted XML document that exploits the XXE vulnerability. This document should be designed to create a new user role with super admin privileges. After the user is created, log in as this new super admin user and upload a backdoor plugin using the plugin management features of the platform.

Remediation

Users are advised to upgrade to OJS version 3.3.0.21 or 3.4.0.8. After upgrading, OJS installations should be patched using the instructions available on the Open Journal Theme website.