Warning: new OpenX exploit

Walter

Well-known member
As I know that the OpenX advertising script (formerly known as phpAds) is pretty popular amongst forum admins here are some bad news: There is a new exploit out there and there is currently no patch available from OpenX. There are first reports of compromises.

The exploit is done via the Open Flash Chart 2 module (you can upload pretty anything via ofc_upload_image.php). The only solution to prevent attacks is to delete admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php if you don't use the module (99% don't use it).

There are many ways to use this exploit but one sign is if you have a file in admin/plugins/videoReport/lib/tmp-upload-images - e.g. a small shell code php script.

The OpenX web site is currently down (probably flooded by admins).
 
This warning was pretty expensive for me - I catched the script kiddies red handed on my adserver.

Now I have to clean up the garbage... :(
 
@Walter:

1. Thank you for sharing the lesson learned! :) Sorry you found it the hard way though :(
2. Can you clarify the paths involved? I'm not seeing /videoReport anywhere, is that an plugin you've added to your OpenX?

We're a bit behind on OpenX upgrades, just checked and we're running 2.8.2, not sure if that explains the missing videoReport plugin...
 
That is a plugin installed as a standard in OpenX and AFAIK it's also in 2.8.2.
Go to the directory admin/plugins/videoReport/lib/ofc2 and look for ofc_upload_image.php and delete it.
 
Omg my site just got hacked last week, I upgraded and now this.

That script seems to be as leaky as a sieve :s

Thank you very much for this thread! *rushes to delete ofc_upload_image.php*
 
TBH, I'm getting tired of OpenX problems too - it's the second major problem in a short time and their way of handling this type of issues was very bad both times.
But probably they invest more time in promoting their market place and doing silly PR releases like "we will attack Google with our market place"
 
I'd love to use a better alternative, but I don't think there is one (not with the same flexibility and definitely not for free).
 
Thank you Walter. I have been trying to figure out this stinkin issue now for a while. every time I have upgraded the problem kept happening. I figured my server had been compromised so I ran rootkit scans etc... so just a few days ago I formatted my server, installed openx once again and Bamm! this morning around 8:30am I was attacked again. I figured the attacker was just good at hiding what he was doing... I was right. Thanks to you I now know how he is doing it. I would love to find a better adserver if one is out there.... Any suggestions? like walter I dont mind paying for something if it is maintained well.

btw... I got so tired of the attacks I emailed openx sales to see what a hosted solution would cost me thinking that maybe if they were hosting it I would have less issues.. He gave me an example. If I were to have 300million imps/mo it would cost me the low, low price of $4,150 per month... what the crap? running my own server costs me around $5-600/mo. Talk about overpriced.

Now I am sure I know why they arent worried about securing the free version... if they can get us all to get tired of the attacks they can bank on the hosted solution.

Personally, I am ready for an adserver change!

-Curtis
 
Lol, what an outrageous price even for big sites that can afford. Yeah that would explain why they do not care much about the free ad server.
 
Top Bottom