In association with heise online

28 January 2009, 10:36

Numerous security holes in OpenX ad server

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security firm Secunia has reported a total of 22 hitherto unpatched vulnerabilities in the free OpenX ad server. The problems include cross-site scripting holes, cross-site request forgery as well as SQL injection holes, and a file inclusion hole. The latter can only be exploited via files that are stored locally, which reduces the risk of a successful attack. However, it can apparently also be exploited for directory traversing attacks to spy on a system's files. A suitable exploit has already appeared on Milw0rm independently of Secunia's report.

The flaws were discovered in the current version 2.6.3 of OpenX, but other versions are also likely to be vulnerable. While Secunia reports that the vendor has been notified, no update has so far become available. Secunia doesn't offer any practical suggestions for a workaround – apart from using a different product. Large sites like Metacafe and ReadWriteWeb, which use OpenX, will probably have difficulties with following Secunia's advice.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit