======================================================================== OpenX security advisory OPENX-SA-2009-002 ------------------------------------------------------------------------ Advisory ID: OPENX-SA-2009-002 Date: 2009-Apr-01 Security risk: Critical Applications affetced: OpenX Versions affected: <= 2.4.10, <= 2.6.4, <= 2.7.29-beta Versions not affected: >= 2.4.11, >= 2.6.5, >= 2.8.0 ======================================================================== ======================================================================== Multiple vulnerabilities Discovered by Sandro Gauci ======================================================================== Description ----------- A security review was recently being conducted on Openx 2.6.4 by Sandro Gauci. As part of the review he reported the following vulnerabilities: - SQL injection in adview.php and other delivery scripts because of missing or improper validation of the "OAID" cookie; - SQL injection in tjs.php because of missing or improper validation of the "referer" GET parameter; - XSS vulnerability in sso-accounts.php because of missing or improper validation of the "email" GET parameter (2.4.x not affected) - Possible arbitrary file deletion in tjs.php via the "trackerid" GET parameter - Possible CRLF injection in various delivery files because of missing sanitisation of parameters (PHP 4.4.2 or 5.1.2 and follwing versions are not affected) - Possible arbitrary file deletion in various delivery scripts Both the SQL injection vulnerabilities can be remotely exploited by unauthenticated attackers: upgrading is strongly advised. References ---------- https://developer.openx.org/jira/browse/OX-4867 http://resources.enablesecurity.com/advisories/openx-2.6.4-multiple.txt ======================================================================== Vulnerabilites previously repoted by Secunia ======================================================================== Description ----------- A security review was previously conducted by Sarid Harper on behalf of Secunia and led to the release of OpenX 2.4.10 and 2.6.4 fo fix a number of vulnerabilities. He recently reported that OpenX 2.6.4 was still vulnerable to two of them and they have been properly fixed now: - Input passed to the "userid" parameter in "www/admin/admin-user.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site (#9) - Input passed to the "agencyid" parameter in "www/admin/agency-edit.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site (#11) References ---------- http://secunia.com/advisories/32197/ https://developer.openx.org/jira/browse/OX-4803 https://developer.openx.org/jira/browse/OX-4805 https://developer.openx.org/jira/browse/OX-4957 ======================================================================== Multiple SQL injections and XSS vulnerabilities ======================================================================== Description ----------- A security review was internally performed following Secunia's report. A number of XSS vulnerabilities were found and fixed, plus several SQL injection vulnerabilities: - SQL injection in userlog-index.php via the "advertiserId" parameter - SQL injection in channel-edit.php via the "affiliateid" parameter - SQL injection in banner-zone.php via the "bannerid" parameter All require authentication to be exploited. References ---------- https://developer.openx.org/jira/browse/OX-4826 Solution ======== We stronly advise people running affected versions to upgrade to the most recent versions of OpenX: 2.4.11, 2.6.5 or 2.8.0. Contact informations ==================== The security contact for OpenX can be reached at: _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/