Calendar
Members
Search
Help
RSS Feed 
 Security Update: How To Secure Your Openx Installation |
  |
 Sep 18 2010, 05:31 AM
Post
#1
|
|
 Expert  Group: Admin Posts: 163 Joined: 13-January 09 From: Pasadena, CA Member No.: 25,179  |
From the Blog Post:
We have recently resolved a number of security vulnerabilities in the downloaded version of OpenX. The latest release is available here (or mirror ). As with any open source downloaded software, it is important to update it when new releases come out to keep your system secure. Upgrading to the latest version of OpenX will close all known security issues. After you download 2.8.7), you need to perform a full security audit to ensure that your system is secure. First, check the append/prepend fields in the banners and zones table for any malicious code: SELECT bannerid, append, prepend FROM banners WHERE append != '' OR prepend != ''; SELECT zoneid, append, prepend FROM zones WHERE append != '' OR prepend != ''; If you see anything suspicious on those fields, you should clear those values out. Second, check that no unexpected admin users have been created, this query will list the details of all users with admin access in your system: SELECT u.user_id, u.contact_name, u.email_address, u.username FROM users AS u, account_user_assoc AS aua WHERE u.user_id=aua.user_id AND aua.account_id = (SELECT value FROM application_variable WHERE name='admin_account_id'); Third, check for infected files on the filesystem: Installing the latest version of openx will restore all core files, but plugin files (which the installer copies up from the previous version), and files in the www/images folder should be double checked after the upgrade is complete. In particular, be on the lookout for base64_decode and/or eval statements in your php files. From the bug notes of “Arbitrary code injected into cache file” at https://developer.openx.org/jira/browse/OX-5950, users have reported some specific php files, but the issue can occur on any of the php files. Optional steps you can take to secure your system are: * You should regularly change the passwords for all users in the system (especially administrator/manager users) * Removing the /path/to/openx/www/admin/install.php and the install-plugins.php files. * Locking down admin directory on Apache http://forum.openx.org/index.php?showtopic...mp;#entry205811 To be notified of any future security updates, please sign up for the OpenX Newsletter and add alerts@openx.org to your address book. As always, please let us know of any potential security problems by emailing security@openx.org. |
 |
 
|
|