OpenX used to serve malicious advertisements

Security researcher Brian Krebs has reported on an as yet unpatched vulnerability in the open source advertising platform OpenX, which is being used to plant malware on web sites that use the software to serve ads to their visitors. OpenX has since acknowledged the security hole and has published a workaround on its blog. According to Krebs, OpenX CTO Michael Todd has promised a fix for the affected versions of OpenX "early next week".

The first compromised systems were discovered by Infosec researcher Mark Baldwin, who found that attackers were exploiting a cross-site request forgery (CSRF) vulnerability to create a malicious "openx-manager" account on affected systems and then started serving ads with malicious payloads via the OpenX platform. This account gets created by JavaScript executed when a legitimate administrator logs into the advertising platform and is served an ad in the administration interface that comes from OpenX's own advertising servers. It is not yet clear whether OpenX's servers were compromised, but this scenario seems likely.

Krebs was unable to ascertain whether this security vulnerability is connected in any way to a similar CSRF flaw that was discovered in an older version of OpenX in June 2011. This is not the first time OpenX installations have been targeted by criminals seeking to distribute malware through advertising banners; similar attacks happened in September 2010 and January 2009.

The OpenX blog posting is advising users to remove the vulnerable files from their installations and gives instructions how to do so. Users should also check if the "openx-manager" user exists on their system and remove it if it does. OpenX is available both as a GPv2L-licensed version and as a hosted solution under a proprietary licence. Both versions are affected by the security vulnerability.

(fab)