Zero-day Vulnerability in OpenX Source 2.8.11

The current version of the popular ad server software OpenX Source (2.8.11) is vulnerable to code injection attacks by a subset of registered users. The vulnerability is being actively exploited.

The problem can be fixed by changing line 311 in lib/OX/Extension/deliveryLimitations/DeliveryLimitations.php as follows:

$result = 'MAX_check' . ucfirst($this->group) . '_' . $this->component . "('".addslashes($data)."', '".addslashes($this->comparison)."')";

Users of OpenX should apply this fix immediately even if only trusted parties have access to the installation. The vulnerability is used in conjunction with other vulnerabilities to gain system access through highjacked accounts.

Revive Adserver (a fork of OpenX source) is vulnerable as well. I have submitted a pull request. Update: The Revive team confirmed the issue and accepted my patch on the same day.

By the way

If you are managing an OpenX ad server installation, take a look at the OpenX Maintenance Checklist. It helps you keeping track of frequent maintenance tasks and security checks. If you sign up for an account at Checkpanel (not required) you can easily manage this checklist. You can see when you last checked each item, set reminders, work in teams and more. Checkpanel is not limited to OpenX checklists – it helps you managing all kinds of recurring tasks (see some other samples and features).