I Can Anonymously Login To The Openx 2.8.2 Admin! Options

[Charlie West]

Recently, my Openx 2.8.1 server was hacked. I have successfully recreated the exploit that allows an anonymous user to login to the admin site and gain control of my ads.

Just to be thorough, I downloaded and installed 2.8.2 (in a non-production environment), and have successfully reproduced the exploit there! In other words, if you are running a current, unmodified release of OpenX, it is possible to anonymously log in to the admin site and gain administrator-level control of the system.

I highly recommend blocking public access to the /www/admin area of your openx installation until this is resolved. IMHO, this is about as serious a bug as you can have.

If an OpenX developer will contact me, I will share my findings so that this problem can be fixed.

[denis]

You can also create a new issue here:
https://developer.openx.org/jira/

p.s. I'm not an OpenX Developer.

[Charlie West]

Matthieu, an openx developer, responded to a PM I sent him about this issue. Hopefully, he will take this seriously and the problem will be fixed soon.

In the meantime, it is best to take the bold print in my first post very seriously.

[openx_mtodd]

Matthieu, an openx developer, responded to a PM I sent him about this issue. Hopefully, he will take this seriously and the problem will be fixed soon.

In the meantime, it is best to take the bold print in my first post very seriously.

We take security very seriously. To our knowlege there are no vulnerabilities to the 2.8.2 release. We strongly encourage everyone to upgrade to 2.8.2. Charlie, I understand you are talking with Matthieu, please send any additional info to him and or to our security team at security@openx.org.

Michael Todd
OpenX

[Charlie West]

Matthieu and I have been in contact, and the issue is actively being reviewed. I am confident a patch is forthcoming. (I have already seen a patch offered by a third party, and have forwarded it to Matthieu for review.) This DOES affect 2.8.2, but is easily corrected.

We take security very seriously. To our knowlege there are no vulnerabilities to the 2.8.2 release. We strongly encourage everyone to upgrade to 2.8.2. Charlie, I understand you are talking with Matthieu, please send any additional info to him and or to our security team at security@openx.org.

Michael Todd
OpenX

[openx_mtodd]

The OpenX security team was able to verify a vulnerability that could allow a remote attacker to gain adminstrator access of the adserver. We strongly suggest that all users upgrade their systems to 2.8.3 which fixes this problem. The download is available at http://www.openx.org/ad-server/download.

Alternatively, users can delete the <path-to-openx>/www/admin/install.php and the install-plugins.php files. These files are not used after the installation.

Michael Todd
OpenX

[Charlie West]

The OpenX security team was able to verify a vulnerability that could allow a remote attacker to gain adminstrator access of the adserver. We strongly suggest that all users upgrade their systems to 2.8.3 which fixes this problem. The download is available at http://www.openx.org/ad-server/download.

Alternatively, users can delete the <path-to-openx>/www/admin/install.php file. This file is not used after installation, so it will not effect the functionality of the product.

Michael Todd
OpenX

A couple final notes before I let this fade away.

1) Once I got my problem in front of a developer, things happened really fast. Exploits are a fact of life with open source code, and Matthieu stayed patient when I got frustrated. He stayed focused on reproducing and resolving the issue. Kudos!
2) Michael Todd's "Alternatively" solution only applies if you are running 2.8.2. This will not help you if you are running 2.8.1. The safest bet is to quickly move to 2.8.3.
3) Thanks to Matteo Beccati for contacting me and offering a solution to the problem. Very intelligent, friendly, and helpful.

[lupusyonderboy]

A couple final notes before I let this fade away.

1) Once I got my problem in front of a developer, things happened really fast. Exploits are a fact of life with open source code, and Matthieu stayed patient when I got frustrated. He stayed focused on reproducing and resolving the issue. Kudos!
2) Michael Todd's "Alternatively" solution only applies if you are running 2.8.2. This will not help you if you are running 2.8.1. The safest bet is to quickly move to 2.8.3.
3) Thanks to Matteo Beccati for contacting me and offering a solution to the problem. Very intelligent, friendly, and helpful.

I am a bit concerned that so far there has been no official announcement regarding this issue except on the openx blog, and I have not seen a formal statement or warning come across the email list I subscribed to when I upgraded the last time.

Instead of a simple SQL injection banner taint, this could very well have resulted in people's machines being remotely compromised, and is a very serious issue. It should be treated as such. Kudos for getting it fixed in a timely fashion, but you've lost face already, put up the warning flags, get the message out on the FRONT PAGE of openx.org, not squirreled away on the forums and the blog that few people read.

A week ago I saw OSSEC notifications that people were scanning for openx installs, so to be proactive I came to openx.org, and to the forums and looked around for new release info or anything pertaining to this issue. I saw nothing and thought nothing more of it as the kiddies are often scanning for old exploits that were fixed long ago.

If I hadn't seen a blog post in my RSS reader pop up tonight, there's a good chance I'd be cleaning up a mess right now as opposed to spending 5 minutes upgrading my install.

[rithish]

Alternatively, users can delete the <path-to-openx>/www/admin/install.php file. This file is not used after installation, so it will not effect the functionality of the product.

Does this patch hold for 2.6+ versions too? Or does this bug not appear in those versions?

[Charlie West]

Alternatively, users can delete the <path-to-openx>/www/admin/install.php file. This file is not used after installation, so it will not effect the functionality of the product.

Does this patch hold for 2.6+ versions too? Or does this bug not appear in those versions?

Perhaps an OpenX team member can answer that. I have only tested 2.8.1 and 2.8.2, and will review 2.8.3 very soon.

At this point in time, I believe the safest best is to upgrade to 2.8.3.

[openx_mtodd]

We are reviewing all previous versions, but at this point we recommend that users restrict access to the install.php file by simply moving it, restricting permissions or upgrading to 2.8.3.

Michael Todd
OpenX

[openx_mtodd]

A suggestion from another openX user for more complete work-around solution -- remove install-plugins.php and install.php. This will secure both 2.8.2 and 2.8.1.

Again, truly the best way to secure your setup is to upgrade to 2.8.3

Michael Todd

[SKB]

It's pathetic.

The same bug AGAIN that also led my 2.8.1 to be hacked.

And once again, have they emailed their list of subscribers who want security updates? Like hell they have.

[Jonny Bergström]

Wow, this is a horrible mistake. But everyone makes them...

I could agree with above comment, that this one would need to be taken care of in a better way...

[kevincal]

We're running 2.8.4 and just noticed a trojan compromise reported by our users -- our team is researching the issue now. We've searched the append columns and nothing so may be more advanced hiding adobe hack trojans inserts inside html code.


You are currently using OpenX v2.8.4 running on Apache 2.2.3, PHP 5.1.6 and MySQL 5.0.88-rs.