OpenX releases malvertising backdoor fix

By

Says paid offerings unaffected.

The open source product contained remote PHP code execution vulnerabilities in the zip, tgz and bz2 archives of the software. 

OpenX releases malvertising backdoor fix
OpenX has released a new version of its advertising server software to close backdoors used to deliver malvertising.

The mandatory fix was delivered in version 2.8.11 of OpenX Source.

OpenX, which counts the New York Post, Coca Cola, CBS Interactive and EA among its customers, said its paid offerings were not affected.

"Recently we became aware of a security issue ... whereby the binary distribution of v. 2.8.10 was compromised, and two of the files were replaced with two new modified files that contained a remote code execution vulnerability," senior application security engineer Nick Soracco said in a statement.

"This vulnerability only applies to the free downloadable open source product, OpenX Source.

"We are taking this opportunity to remind the OpenX Source community that it’s critical to the safe maintenance and operation of any software that you not only maintain a current version of the software, but also take steps to regularly audit accounts that have access to your system."

He encouraged users to report possible further security flaws to the company.

The company said in an advisory that the following commands should be run within the top level OpenX directory to determine if the compromised release was installed.

md5sum \

plugins/deliveryLog/vastServeVideoPlayer/flowplayer/3.1.1/flowplayer-3.1.1.min.js \

plugins/deliveryLog/vastServeVideoPlayer/player.delivery.php \

lib/max/Delivery/common.php

The code below indicates the compromised application:

558c80e601fb996e5f6bbc99a9ee0051 plugins/deliveryLog/vastServeVideoPlayer/flowplayer/3.1.1/flowplayer-3.1.1.min.js

fa4991d5fd3bf4a947b6ab0b15ce10b2  plugins/deliveryLog/vastServeVideoPlayer/player.delivery.php

5014c31b479094c0b32221ae1f1473ac  lib/max/Delivery/common.php

The substring below within log files indicates that the backdoor was under active exploitation:

fc.php?script=deliveryLog:vastServeVideoPlayer:player&file_to_serve=flowplayer/3.1.1/flowplayer-3.1.1.min.js

The remote PHP code comes in as a POST parameter and was not seen in server logs by default.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?