OpenX 2.6.4 multiple vulnerabilities
__________________________________________________________________
OpenX multiple vulnerabilities
__________________________________________________________________
An advisory by EnableSecurity in collaboration with Acunetix.
Advisory URL:
http://resources.enablesecurity.com/advisories/openx-2.6.4-multiple.txt
Version: OpenX 2.6.4 and older versions
Description:
OpenX is an online advertising web application written in PHP that supports
popular sites such as TechCrunch, SUN Microsystems and Metacafe.
>From their website (openx.org):
"OpenX is a free, open source ad server that manages the selling and delivery
of your online advertising inventory. You can get OpenX as a hosted service or
as downloaded software."
Credits:
These vulnerabilities were discovered during testing of AcuSensor Technology
feature in Acunetix WVS.
We worked with the OpenX security team to have these security flaws reported
and fixed.
We would like to publicly thank the OpenX team for their prompt response!
__________________________________________________________________
Technical details:
The following vulnerabilities were identified:
Major issues:
- SQL injection
- Cross Site Scripting
Other issues:
- Arbitrary File Deletion
- CRLF injection
----------- Major issues -----------
::::: SQL vulnerabilities :::::
[[ Trigger: /adview.php ]]
Description:
The cookie "OAID" is not filtered when adview.php is accessed and used directly
to construct the SQL INSERT statement.
[[ Trigger: /www/delivery/tjs.php ]]
Description:
1. The cookie "OAID" is not filtered when adview.php is accessed and used
directly to construct the SQL INSERT statement.
2. The "referer" parameter in the GET request is also used in the SQL statement
and is another vector.
::::: XSS Vulnerabilities :::::
[[ Trigger: /www/admin/sso-accounts.php ]]
Description:
The "email" parameter in the POST data is simply printed out in the html page,
allowing injection of HTML i.e. XSS attacks.
----------- Possible issues -----------
::::: Arbitary file deletion :::::
[[ Trigger: /www/delivery/tjs.php ]]
Reason:
May not be easily exploitable but it does allow directories to be traversed
when deleting cache files.
Exploitation:
It does not seem to be exploitable on Linux, but might be exploitable on
Windows. On Linux the following path would not open: /etc/../asdf/../passwd
because "asdf" does not exist. However the following works on Windows:
C:\asdf\..\boot.ini, even if "asdf" does not exist.
::::: CRLF Injection :::::
Reason:
It seems that the current version of PHP does not allow headers with multiple
lines, i.e ones that contain the carraige and return line feed characters.
Therefore OpenX does not appear to be exploitable. However, the code does allow
CRLF injection and this may be exposed in some other way *(eg. old versions of
PHP ?).
[[ Trigger: /adframe.php ]]
[[ Trigger: /adjs.php ]]
[[ Trigger: /www/delivery/tjs.php ]]
__________________________________________________________________
Demonstration:
http://www.youtube.com/watch?v=kiNeiMS2Iu0
Exploit code:
Available to organizations by contacting info@xxxxxxxxxxxxxxxxxx
Timeline:
Feb 03, 2009: An email was sent to the security team at OpenX and PGP keys
exchanged
Feb 03, 2009: Sent report to OpenX team with full details
Feb 04, 2009: A patch was provided to us and we verified that the patch fixes
the reported issues
Apr 01, 2009: Co-ordinated information release
Solution:
Upgrade to the latest version of OpenX:
http://www.openx.org/ad-server/download
__________________________________________________________________
About EnableSecurity:
EnableSecurity is dedicated to providing high quality Information Security
Consultancy, Research and Development. EnableSecurity develops security tools
such as VOIPPACK (for Immunity CANVAS) and SIPVicious. EnableSecurity is
focused on analysis of security challenges and providing solutions to such
threats. EnableSecurity works on developing custom targeted security solutions,
as well as working with existing off the shelf security tools to provide the
best results for their customers. More info at enablesecurity.com
About Acunetix:
Acunetix Web Vulnerability Scanner is a tool designed to discover security
holes in web applications that attackers could abuse to gain access to a
business' systems and data. With Acunetix WVS websites can be regularly checked
for vulnerabilities such as SQL injection and Cross Site Scripting. The scanner
ships with many innovative features such as: AcuSensor Technology, automatic
JavaScript analyzer, Visual macro recorders and extensive reporting facilities,
which include various compliance reports.
Disclaimer: The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect, or consequential loss
or damage arising from use of, or reliance on, this information.