Possible Sql Injection Vulnerability In Openx 2.8.1 Options

[Mtnx]

On December 17 our installation of OpenX was attacked.

HTML code containing an iframe that loaded a malicious site was injected into our database.

The code was injected into the table openx_banners, in the column append.

We removed the code, scanned our entire database, and all files on our site. It appears this column was the only thing affected.

We upgraded to version 2.8.2, but I didn't notice anything in the changelog that specifically mentioned a SQL injection vulnerability.

Has anyone else had this problem on 2.8.x?

[Charlie West]

I believe this is a problem in 2.8.1 and earlier. The SQL injection has been fixed in 2.8.2, but I believe this attack indicates that there is a second possibly unreported problem.

I had the same thing happen to our openx installation. PM to you on its way - I'd like to compare notes.

[Mtnx]

We were running 2.8.1 when we were attacked.

[Mtnx]

Do you have a link to more information about the previous vulnerability?

[Charlie West]

Do you have a link to more information about the previous vulnerability?

Check your private messages. You should have my contact information there.

[Charlie West]

I debated for some time whether to post this publicly. I feel that this attack represents a very serious threat to the security of OpenX, and parts of the current (2.8.2) version could be affected. I have attempted to contact, via private messages, members of the OpenX team to discuss this privately, but, several days later, they have chosen not to respond to my messages. I strongly suggest that all OpenX users block public access to /www/admin until OpenX confirms that all aspects of this intrusion have been corrected and updates are made available.

Hopefully, I will not be banned from here for providing a detailed breakdown of what happened to my server. I have seen recent posts from OpenX team members; it is unfortunate that they have chosen not to respond to this issue. This issue is out "in the wild." I don't think my attacker was particularly knowledgeable; I think he was just following instructions he found on the internet. Since the bad guys have the information, I think the good guys need to know too.

Here is a breakdown of this attack. From my apache log, this attack started early in the morning on December 17:

CODE

Now that I have received a response from Openx developers, I think it best to remove my log files from this site.  But, best to look past 2.8.2 for a fix to this type of issue...

-Charlie West

To protect myself against this attack, I have removed the two files uploaded to /www/images. I also reconfigured Apache to disallow public access to /www/admin. This way, the attacker can not reach the pages they were using to exploit the security flaws in OpenX.

Another potentially worthwhile change would be to configure apache so the .php pages in the /www/images do not execute as PHP. I have not done this, because it is only of limited help. Areas such as /var/cache are also writable by the apache user, and this area needs to be able to execute php in order to function properly.

If 2.8.2 does fix the uploaded file security flaw, then it is a worthwhile upgrade, and I may soon upgrade from 2.8.1. However, I can find no mention anywhere of the security flaw that allowed the attacker to get logged into my system. Until it is revealed whether this bug has been found and fixed, 2.8.2 may only fix part of the problem. Attackers may still be able to break into the OpenX admin.

I STRONGLY RECOMMEND DISALLOWING PUBLIC ACCESS TO /WWW/ADMIN UNTIL A SOLUTION IS ANNOUNCED. FAILURE TO DO SO COULD ALLOW AN ATTACKER TO GAIN CONTROL OF YOUR OPENX INSTALLATION.

[Charlie West]

This story at the Register seems to be referring to this OpenX vulnerability.

AintItCoolNews Malware

This is the third exploited site that I am aware of. I'm sure there are more.

[Charlie West]

I am starting a new thread to discuss the larger issue of anonymous logins into the site admin. Stay tuned.

[openx_mtodd]

I am starting a new thread to discuss the larger issue of anonymous logins into the site admin. Stay tuned.

We take security very seriously. To our knowlege there are no vulnerabilities to the 2.8.2 release. We strongly encourage everyone to upgrade to 2.8.2. Charlie, I understand you are talking with Matthieu on our security team, please send any additional info to him and or to our security team at security@openx.org.

Michael Todd
OpenX

[openx_mtodd]

The OpenX security team was able to verify a vulnerability that could allow a remote attacker to gain adminstrator access of the adserver. We strongly suggest that all users upgrade their systems to 2.8.3 which fixes this problem. The download is available at http://www.openx.org/ad-server/download.

Alternatively, users can delete the <path-to-openx>/www/admin/install.php file. This file is not used after installation, so it will not effect the functionality of the product.

Michael Todd
OpenX

[Charlie West]

The OpenX security team was able to verify a vulnerability that could allow a remote attacker to gain adminstrator access of the adserver. We strongly suggest that all users upgrade their systems to 2.8.3 which fixes this problem. The download is available at http://www.openx.org/ad-server/download.

Alternatively, users can delete the <path-to-openx>/www/admin/install.php file. This file is not used after installation, so it will not effect the functionality of the product.

Michael Todd
OpenX

A couple final notes before I let this fade away.

1) Once I got my problem in front of a developer, things happened really fast. Exploits are a fact of life with open source code, and Matthieu stayed patient when I got frustrated. He stayed focused on reproducing and resolving the issue. Kudos!
2) Michael Todd's "Alternatively" solution only applies if you are running 2.8.2. This will not help you if you are running 2.8.1. The safest bet is to quickly move to 2.8.3.
3) Thanks to Matteo Beccati for contacting me and offering a solution to the problem. Very intelligent, friendly, and helpful.

[loyeyoung]

Does this vulnerability affect only the Windows operating system, or any OS running OpenX? Has anyone running any other operating system been affected?

[kevincal]

2.8.4 -- We were just compromised several days ago.

[Fitnesscom]

we were compromised with 2.8.2 on the Feb 11, 2010. Someone uploaded a file called bs2.php to the www/images/ directory. It coincided with a new advertiser that I gave a user/pass to access his stats (no uploading of banners or anything). The guy seemed a bit shady and payed via Paypal as bs.start@gmail.com. We have since upgraded to 2.8.4 and I will no longer be giving users access to the admin.

We noticed a huge drop in traffic on the 17th and believe the file was used to redirect users to other websites. I should have kept the file, but my first instinct was to delete it.

Oh, and the users website is sherytiger.com (he contacted me via admin@sherytiger.com) ... you will find that the first time you go to the site you get a bunch of links and the second time you get a real website. So, either he was hacked as well as his email, someone took over his website and is just using it as a front, or he is the actual culprit, I can't be sure.

[mdierolf]

We were compromised last night on 2.8.4, it's the same append hack.

Mark

2.8.4 -- We were just compromised several days ago.