Year-old vulnerability endangers OpenX ad server
A critical security flaw in current and older versions of the popular open source OpenX ad server allows attackers to remotely compromise a server. A few reports (German language link) even discuss successful attacks on OpenX servers in which the vulnerability was exploited.
The problem is the result of a component integrated in OpenX's video plug-in from a third-party that allows images to be uploaded. In December 2009, the "Open Flash Chart 2" module (ofc_upload_image.php) was introduced, and apparently it doesn't check who is uploading what, to the server. As a result, executable scripts can be saved and then run on the server.
The problem was discovered approximately one year ago in the open source Piwik web analysis software, which uses the same module. However, the security advisory published at the time merely stated that the flaw is exploitable when the register_globals = on PHP option is enabled. Updates remedied the problem in Piwik about a year ago, but there was no official OFC update. It's not clear why the OpenX developers did not remedy the flaw in their repository. It seems they may not have known about the problem because they integrated the module after the flaw was discovered. It's also not known whether they are working on a solution. A question on the matter in the live chat at the OpenX community has not been answered.
Administrators can easily solve the problem by simply deleting the file admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php if they do not need the module. Otherwise, access can always be limited under Apache with htaccess. If the directory admin/plugins/videoReport/lib/tmp-upload-images has been created, users may want to check whether they have been attacked.