[KIS-2025-11] Open Journal Systems <= 3.5.0-1 (NativeXmlIssueGalleyFilter.php) Path Traversal Vulnerability
好的,我现在需要帮用户总结这篇文章的内容,控制在100字以内。首先,我仔细阅读了文章内容,发现这是一篇关于Open Journal Systems(OJS)软件的安全漏洞公告。 文章提到,OJS的版本3.5.0-1及之前版本存在一个路径遍历漏洞。漏洞的原因是用户输入在Native XML插件中没有被正确清理,导致攻击者可以利用路径遍历写入或覆盖服务器上的任意文件,甚至可能执行任意PHP代码,从而实现远程代码执行(RCE)。 成功利用这个漏洞需要攻击者拥有访问“Import/Export”插件的权限,比如期刊编辑或生产编辑账户。此外,攻击者还需要知道或猜测OJS所在的服务器路径。 解决方案是升级到3.3.0-22、3.4.0-10、3.5.0-2或更高版本。漏洞的披露时间线显示从2025年10月到12月逐步修复和发布。CVE编号为CVE-2025-67890,由Egidio Romano发现。 现在,我需要将这些关键信息浓缩到100字以内。重点包括:软件名称、漏洞类型、影响版本、漏洞原因、攻击条件、可能影响以及解决方案。同时,要避免使用“文章内容总结”等开头语。 最终的总结应该简洁明了,涵盖所有重要点。 </think> Open Journal Systems (OJS) 存在路径遍历漏洞(CVE-2025-67890),影响 3.5.0-1 及以下版本。攻击者可通过未清理的用户输入在 Native XML 插件中写入或覆盖任意文件,可能导致远程代码执行。需升级至 3.3.0-22、3.4.0-10 或 3.5.0-2 及以上版本修复。 2025-12-28 05:19:44 Author: seclists.org(查看原文) 阅读量:6 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: Egidio Romano <n0b0d13s () gmail com>
Date: Tue, 23 Dec 2025 12:18:17 +0100
---------------------------------------------------------------------------------------------
Open Journal Systems <= 3.5.0-1 (NativeXmlIssueGalleyFilter.php) Path
Traversal Vulnerability
---------------------------------------------------------------------------------------------


[-] Software Links:

https://pkp.sfu.ca/software/ojs/
https://github.com/pkp/ojs


[-] Affected Versions:

Version 3.3.0-21 and prior versions.
Version 3.4.0-9 and prior versions.
Version 3.5.0-1 and prior versions.


[-] Vulnerability Description:

The vulnerability exists because user input passed to the "Native XML
Plugin" through the issue -> issue_galleys -> issue_galley ->
issue_file -> file_name tag of the imported XML file is not properly
sanitized before being used to set the "server-side file name", which
is later used as the final part of a variable which is used at in a
call to the writeFile() method without proper validation. This can be
exploited to write/overwrite arbitrary files on the web server via
Path Traversal sequences, potentially leading to, e.g., execution of
arbitrary PHP code (RCE).

Successful exploitation of this vulnerability requires an account with
permissions to access the "Import/Export" plugin ("Native XML
Plugin"), such as a "Journal Editor" or "Production Editor" user
account. Furthermore, in order to perform the following Remote Code
Execution (RCE) attack, the attacker should know or guess/disclose the
webserver path in which OJS is located (e.g.
/var/www/html/ojs-3.5.0-1).


[-] Solution:

Upgrade to versions 3.3.0-22, 3.4.0-10, 3.5.0-2, or later.


[-] Disclosure Timeline:

[21/10/2025] - Vendor notified
[24/10/2025] - Vendor fixed the issue and opened a public GitHub
issue: https://github.com/pkp/pkp-lib/issues/11973
[12/11/2025] - CVE identifier requested
[20/11/2025] - Version 3.3.0-22 released
[22/11/2025] - Version 3.4.0-10 released
[12/12/2025] - CVE identifier assigned
[29/11/2025] - Version 3.5.0-2 released
[23/12/2025] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures program (cve.org) has
assigned the name CVE-2025-67890 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2025-11
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • [KIS-2025-11] Open Journal Systems <= 3.5.0-1 (NativeXmlIssueGalleyFilter.php) Path Traversal Vulnerability Egidio Romano (Dec 27)

文章来源: https://seclists.org/fulldisclosure/2025/Dec/33
如有侵权请联系:admin#unsafe.sh