18. December 2013

Zero Day Vulnerability in OpenX Source 2.8.11 and Revive Adserver 3.0.1

The current versions of the popular ad server software OpenX Source (2.8.11) and Revive Adserver (3.0.1) are vulnerable a sql injection attack which allows attackers to gain backend access. The vulnerability is actively being exploited.

The OpenX team has been informed. For Revive, I submitted a pull request with a fix.

Since Revive Adserver is the official successor to OpenX Source, I assume that there will not be an updated version of OpenX Source (after all, there wasn’t one for the last vulnerability). I have created a set of patched files which fix the vulnearbility in OpenX 2.8.11: openx-2.8.11-sql-injection-patch.zip. To patch Revive Adserver, use the files from revive-3.0.1-sql-injection-patch.zip.

I recommend applying the patches immediately, since the vulnerability is actively being exploited and has been for some time now.

Update 19.12.: The revive team confirmed the vulnerability and is working on a fixed version.
Update 20.12.: The Revive team released Revive Adserver 3.0.2 which fixes the vulnerability. If possible, I recommend to update to this version as soon as possible (including users of OpenX). Thanks a lot to the team for the quick reaction!
The Revive team also suggest a quicker temporary fix for people who cannot update right away: Remove “www/delivery/axmlrpc.php” if you do not need xmlrpc delivery (most setups use different delivery methods).
Update 3.2.2014: Removing axmlrpc.php alone does not seem to be enough to fully protect an installation. dxmlrpc.php should be removed as well. Many thanks to Péter Veres for the discovery!

By the way

If you are managing an OpenX Source or Revive Adserver installation, take a look at the OpenX Maintenance Checklist or Revive Adserver Maintenance Checklist. It helps you keeping track of frequent maintenance tasks and security checks. If you sign up for an account at Checkpanel (not required) you can easily manage this checklist. You can see when you last checked each item, set reminders, work in teams and more. Checkpanel is not limited to OpenX/Revive checklists – it helps you managing all kinds of recurring tasks (see some other samples and features).

(This article is also available in German)

Powered by WordPress

Subscribe to RSS Feed