OpenX 2.8.1 remote code execution

2009.11.26
Credit: null
Risk: Low
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, OpenX adserver version 2.8.1 and lower is vulnerable to remote code execution. To be exploited, this vulnerability requires banner / file upload permissions, such as granted to the 'advertiser' and 'administrator' roles. This vulnerability is caused by the (insecure) file upload mechanism of affected OpenX versions. These would check magic bytes of an uploaded file to determine its MIME type, and erroneously assume this information to be reliable. Additionally, while the file name of uploaded files is changed, the file extension is not. As such, it is possible to upload image files with embedded PHP code and .php file extension. Unless PHP script execution is explicitly prevented for the file upload location (which has not been documented in the OpenX manual so far and it is not the result of a default installation), the PHP code will execute as soon as HTTP access to the file location will cause it to be executed by the web server. To clarify, an attacker exploiting this security issue does require prior access to OpenX, i.e. exploitation is only possible after successful authentication. On the other hand, advertiser access is a rather low permission level and should not allow for system access. If these bugs were not hidden from OpenX' bug tracker, you could read up more about issue X-5747 here: https://developer.openx.org/jira/browse/OX/fixforversion/10910 OpenX 2.8.2 has already been released in October to fix this issue and can be downloaded from http://www.openx.org/ad-server/download Moritz Naumann Naumann IT Security Consulting Berlin, Germany http://www.moritz-naumann.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEAREKAAYFAksLvToACgkQn6GkvSd/BgxufgCfb27dD4mvPfnOa6YEthKNRzrm C7YAnieGtdnqtzBO28zThXHHy/WnCeHG =3R3Y -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top