OpenX ad server found to have 7 month old mass compromise

[drmike]

source: http://www.scmagazine.com.au/News/352593,backdoor-found-in-openx-ad-platform.aspx

"A backdoor has existed for up to nine months in a platform sold by OpenX"

"After examining openXVideoAds.zip, I was able to locate the PHP code in flowplayer-3.1.1.min.js, a file located in the plugins\deliveryLog\vastServeVideoPlayer\flowplayer\3.1.1 folder," she said.

More javascript and cross domain issues.  Death to javascript!

 

[scv]

Javascript has nothing to do with this though. The backdoor was inlined PHP code.

The package is unpacked apparently in a normal installation. On the server being analyzed, the burglars used the back door to a PHP shell in /www/images/debugs.php store, then they had full access to the server. Their entries in the log file ultimately led to the discovery.

If you look at an exploit for the vulnerability[1] you can see the issue is triggered through another script that apparently calls include() to deliver static content instead of file_get_contents (a pretty big issue in its own right). This inlined PHP code is then executed and presumably allows the attacker to run arbitrary PHP code or system commands. Disclaimer: I haven't actually looked at the backdoor, this is just what I gathered from reading about the issue.

[1] http://packetstorm.foofus.com/1308-exploits/openx_backdoor_php.rb.txt

 

[wlanboy]

Yup, just another "because they did not know what a function is doing" security hole...