Update for OpenX ad server closes hole
The OpenX developers have released version 2.8.7 of their free open source ad server, likely closing the security hole discovered earlier this week. The vulnerability was the result of a component integrated in OpenX's video plug-in from a third-party, which allows images to be uploaded.
The "Open Flash Chart 2" module (ofc_upload_image.php) failed to check who uploaded what onto the server. The vulnerability allowed executable scripts to be uploaded and executed on the server – and criminals soon exploited it to attack the web servers of The Pirate Bay, esarcasm.com and AfterDawn.com.
In a blog post, the OpenX developers recommend that administrators upgrade to the new versions immediately because of a vulnerability. However, the release notes of version 2.8.7 don't indicate whether a hole was closed, or which hole it was. Commenting on the blog post, users have criticised the OpenX project for its slow response and scarcity of information.
(crve)