Zero Day Vulnerability in OpenX Source 2.8.11 and Revive Adserver 3.0.1

If you are using OpenX or the new Revive Adserver (fork of OpenX), you need to update it ASAP. Florian Sander discovered a serious SQL injection vulnerability that affects all versions of OpenX and all versions of the Revive Adserver. From the Revive advisory:

An SQL-injection vulnerability was recently discovered and reported to the Revive Adserver team by Florian Sander.

The vulnerability is known to be already exploited to gain unauthorized access to the application using brute force mechanisms, however other kind of attacks might be possible and/or already in use. The risk is rated to be critical as the most common end goal of the attackers is to spread malware to the visitors of all the websites and ad networks that the ad server is being used on.

The vulnerability is also present and exploitable in OpenX Source 2.8.11 and earlier versions, potentially back to phpAdsNew 2.0.x.

The XML-RPC delivery invocation script was failing to escape its input parameters in the same way the other delivery methods do, allowing attackers to inject arbitrary SQL code via the “what” parameter of the delivery XML-RPC methods. Also, the escaping technique used to handle such parameter in the delivery scripts was based on the addslashes PHP function and has now been upgraded to use the dedicated escaping functions for the database in use.

We highly recommend anyone using OpenX to upgrade to the latest Revive version, or as a temporary fix, remove the file “www/delivery/axmlrpc.php” from your installation.

Clients using our CloudProxy Website Firewall are already protected against it. If you want to protect your OpenX / Revive install, you can sign up for CloudProxy here.

OpenX.org Compromised and Downloads Injected with a Backdoor

We received reports that OpenX.org was compromised and the OpenX download files had a backdoor injected in them. According to Heise (in German), the malicious files were modified around November/2012, and have been undetected since.

It means that if you have downloaded OpenX during the last 7 months, it likely contains a backdoor that could allow the attackers full access to your site. That’s how serious it is.

*The OpenX team have confirmed the breach and removed the bad files from their servers.


Read More

OpenX.org serving malware?

We are tracking a few sites that are currently blacklisted and showing a warning from Google that openx.org (home of a popular open source ad server) is the site responsible for the infection:

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including openx.org/.

By looking at the diagnostic page for openx.org itself, it shows:

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, openx.org appeared to function as an intermediary for the infection of 82 site(s) including solovenezolanas.com/, thelocal.de/, drtuber.com/.

We are still tracking to see which ads are causing the issue, or if the openx servers themselves are compromised. If you include the tracking code from openx.org, we recommend that you check to see if there isn’t any malicious code being pushed to your users.

ASIS International Website Blacklisted by Google

The official website (asisonline.org) of ASIS International, a major physical security association was hacked and blacklisted yesterday. Add another case to the list of sites using outdated and/or vulnerable applications. In the case of ASIS, they were running a vulnerable version of OpenX (ad server software) and the attackers injected malicious code in there.

Anyone visiting the ASIS website has ads served from ads.asisonline.org which is the culprit. The ad server is loading malware from: hxxp://liyerfit.com/blogs/martin/. The malware string can be detected using our scanner.



Read More