OpenX: multiple vulnerabilities

Published on Apr 1, 2009 in openx, cross-site scripting, sql injection, security advisory

An advisory by EnableSecurity in collaboration with Acunetix.

Affected versions: OpenX 2.6.4 and older versions
Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2009-01-openx-multiple-vulnerabilities/

Description

OpenX is an online advertising web application written in PHP that supports popular sites such as TechCrunch, SUN Microsystems and Metacafe.

From their website (openx.org):

“OpenX is a free, open source ad server that manages the selling and delivery of your online advertising inventory. You can get OpenX as a hosted service or as downloaded software.”

Credits

These vulnerabilities were discovered during testing of AcuSensor Technology feature in Acunetix WVS. We worked with the OpenX security team to have these security flaws reported and fixed. We would like to publicly thank the OpenX team for their prompt response!

Technical details

The following vulnerabilities were identified:

Major issues:

SQL injection
Cross Site Scripting

Other issues:

Arbitrary File Deletion
CRLF injection

SQL vulnerabilities

Trigger: /adview.php

The cookie “OAID” is not filtered when adview.php is accessed and used directly to construct the SQL INSERT statement.

Trigger: /www/delivery/tjs.php

The cookie “OAID” is not filtered when adview.php is accessed and used directly to construct the SQL INSERT statement.
The “referer” parameter in the GET request is also used in the SQL statement and is another vector.

XSS Vulnerabilities

Trigger: /www/admin/sso-accounts.php

The “email” parameter in the POST data is simply printed out in the html page, allowing injection of HTML i.e. XSS attacks.

Arbitrary file deletion

Trigger: /www/delivery/tjs.php

May not be easily exploitable but it does allow directories to be traversed when deleting cache files.

It does not seem to be exploitable on Linux, but might be exploitable on Windows. On Linux the following path would not open: /etc/../asdf/../passwd because “asdf” does not exist. However the following works on Windows: C:\asdf\..\boot.ini, even if “asdf” does not exist.

CRLF Injection

It seems that the current version of PHP does not allow headers with multiple lines, i.e ones that contain the carriage and return line feed characters. Therefore OpenX does not appear to be exploitable. However, the code does allow CRLF injection and this may be exposed in some other way (e.g. old versions of PHP).

Affected endpoints:

/adframe.php
/adjs.php
/www/delivery/tjs.php

Demonstration

Video: http://www.youtube.com/watch?v=kiNeiMS2Iu0

Exploit code available to organizations by contacting info@enablesecurity.com

Timeline

Feb 03, 2009: An email was sent to the security team at OpenX and PGP keys exchanged
Feb 03, 2009: Sent report to OpenX team with full details
Feb 04, 2009: A patch was provided to us and we verified that the patch fixes the reported issues
Apr 01, 2009: Co-ordinated information release

Solution

Upgrade to the latest version of OpenX: http://www.openx.org/ad-server/download

Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.