Headline
CVE-2022-24181: Add support for limiting allowed hosts · Issue #7649 · pkp/pkp-lib
Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header.
Description of problem
OJS/OMP/OPS currently uses the HTTP_HOST, SERVER_NAME, and HTTP_X_FORWARDED_HOST headers to detect the current hostname for formulating absolute URLs.
Per https://portswigger.net/web-security/host-header, these headers may be user-controlled and thus not trustworthy. This could be used to e.g. send password reset emails with poisoned links that direct the user to a 3rd-party site, where the reset hash can be captured. (We are not currently aware of another possible abuse via this mechanism.)
Thanks to Hemant Kashyap for reporting the issue.
Solution
The changes described here add support for a list of allowed host names to be provided in the config.inc.php configuration file. User-supplied values are checked against this list and only one of the listed values will be allowed.
Affected versions
This issue affects all releases of OJS, OMP, and OPS versions 3.3.0-8 and older.
How to resolve the issue
Update the code to support the new
allowed_hostssetting. This can be done by any of the following…- Upgrade OJS, OMP, or OPS to version 3.3.0-9 or newer, or
- If using git, update to the latest
stable-3_3_0orstable-3_2_1branches, or - Apply the appropriate patch for your installation:
- 3.3.0-9 and newer: Not affected.
- 3.3.0-1 through 3.3.0-8: OJS OMP OPS
- 3.2.0 or 3.2.1: OJS OMP OPS
- 3.0 to 3.1.x: Upgrading is recommended, but you may apply this untested patch (for OJS and OMP).
- 2.x: No patch available; upgrading is recommended.
Add an
allowed_hostssetting to thegeneralsection of yourconfig.inc.phpconfiguration file. Here is the description/example fromconfig.TEMPLATE.inc.php:; Restrict the list of allowed hosts to prevent HOST header injection. ; See docs/README.md for more details. The list should be JSON-formatted. ; An empty string indicates that all hosts should be trusted (not recommended!) ; Example: ; allowed_hosts = '["myjournal.tld", "anotherjournal.tld", “mylibrary.tld”]' allowed_hosts = ‘’
- You can test whether or not the configuration is working by intentionally misconfiguring
allowed_hosts. Attempting to load a page from the software should result in a400 Bad Requesterror page.
Commits/pull requests
(This is for tracking development work on the issue; you likely don’t need to know this.)
PRs/commits:
main:- #7656
- pkp/ojs#3291
- omp: pkp/omp@5703941
- ops: pkp/ops@586c281
stable-3_3_0:- pkp-lib: #7650
- ojs: pkp/ojs#3289
- omp: pkp/omp@006ebf9
- ops: pkp/ops@f75f58a
stable-3_2_1:- pkp-lib: 9abc0f7
- ojs: pkp/ojs@1dfad48
- omp: pkp/omp@29c4595
- ops: pkp/ops@a2e7bb8